Skip to content

Insecure HTTP Header Setting: X-XSS-Protection Header

Insecure HTTP Header Setting: X-XSS-Protection Header

Description

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Recommendation

Add the X-XSS-Protection header with a value of "1; mode= block".

X-XSS-Protection: 1; mode=block

Standards