X-XSS-Protection (X-XSS-Protection)
Security Glossary - Security Headers
Definition: X-XSS-Protection was a security header that controlled the browser's built-in XSS filtering mechanism. It could enable (1), disable (0), or configure the XSS filter to block pages (1; mode=block). Modern browsers have removed their XSS filters, and the recommended setting is now X-XSS-Protection: 0 to disable it, relying on CSP instead.
Why X-XSS-Protection Is Important
The X-XSS-Protection header is a legacy security control that is no longer recommended in its filtering mode. Chrome removed its XSS Auditor in version 78, and other browsers followed. The reason was that the XSS filter itself could be exploited to create new vulnerabilities through selective script blocking.
The current recommendation is to set X-XSS-Protection: 0 to explicitly disable any remaining XSS filter behavior, and rely on Content Security Policy for XSS protection instead. CSP is a stronger and more granular defense against script injection.
Despite being deprecated, this header still appears in security scanner reports. Setting it to 0 is a quick win that prevents any residual XSS filter from being exploited. Combined with a strong CSP, it covers XSS protection without the risks of the old browser-based filter.
How to Check
A security audit checks the X-XSS-Protection header. It should be set to "0" on modern sites. If it is set to "1" or "1; mode=block", consider changing to "0" and implementing a Content Security Policy instead for XSS protection.
Myths vs. Reality
Myth: X-XSS-Protection protects against XSS attacks
Reality: The XSS auditor it controlled was removed from all major browsers by 2020. Chrome removed it in v78, Edge in v79, and Firefox never implemented it. The header has no effect in modern browsers.
Myth: Setting X-XSS-Protection: 1; mode=block is still good practice
Reality: In some edge cases, the XSS auditor could be exploited to leak information or create new vulnerabilities. The recommended setting is now X-XSS-Protection: 0 to explicitly disable it, combined with a strong CSP.
Run a Security Audit
Common Questions About X-XSS-Protection
Why should I set X-XSS-Protection to 0 instead of 1?
The browser XSS filters that this header controlled have been removed because they could be exploited to cause new vulnerabilities. Setting it to 0 explicitly disables any residual behavior. Use Content Security Policy for XSS prevention instead.
Do I still need this header if I have CSP?
Setting X-XSS-Protection: 0 is still recommended to explicitly disable the deprecated XSS filter, even with CSP in place. It is a single-line addition that prevents edge cases in older browser versions that might still have the filter.