X-XSS-Protection

Provides protection against reflected cross-site scripting attacks.

Setting this header will protect a user if the web browser detects that a reflected cross-site scripting (XSS) attack is underway. There are 4 possible values for this header.

  • 0: Disables XSS filtering.
  • 1: If a XSS attack is detected, the page will be sanitized by the browser (recommended setting).
  • 1;mode=block: If a XSS attack is detected, the page will not be displayed.
  • 1;report=<URI>: If a XSS attack is detected, the page will be sanitized and reported to you via the URI mechanism.

For more information about reflected cross-site-scripting attacks and how ValidBot test your website, please read about our X-XSS-Protection Validation Test and we also have a detailed article about additional security headers if you want to fully protect your users.

For more information about this header, please read the documentation on MDN Web Docs.