Provides protection against reflected cross-site scripting attacks.

Setting this header will protect a user if the web browser detects that a reflected cross-site scripting (XSS) attack is underway. There are 4 possible values for this header.

  • 0: Disables XSS filtering. (recommended setting)
  • 1: If a XSS attack is detected, the page will be sanitized by the browser.
  • 1;mode=block: If a XSS attack is detected, the page will not be displayed.
  • 1;report=<URI>: If a XSS attack is detected, the page will be sanitized and reported to you via the URI mechanism.

This is an obsolete header that is no longer used by modern web browsers because its functionality has been replaced by a properly configured CSP header. Our recommendation is to set this header's value to 0 to disable it. This is because having this header enabled can allow hackers to disable portions of your website by sharing specially crafted links to your site. It is better to handle this via a CSP header now.

For more information about reflected cross-site-scripting attacks and how ValidBot test your website, please read about our X-XSS-Protection Validation Test and we also have a detailed article about additional security headers if you want to fully protect your users.

For more information about this header, please read the documentation on MDN Web Docs.

Ready to validate your website to check for this header and 100+ others important tests?