Checks for the presence of the 'X-XSS-Protection' header, which protects against some attacks.
This test checks for the presence of the X-XSS-Protection Header with a value of "1". With this value, a web browser will sanitize or block the loading of a page if it detects a reflected cross-site scripting (XSS) attack.Reflected XSS Attacks
A reflected XSS attack can happen if a website takes unsanitized user input and displays it on the page where another user could see it. For example, a website's URL may contain parameters such as
www.example.com?search=socks, and then on the page it may show a search bar with "socks" reflected in the input box. If the website has not taken care to sanitize the value of the "search" parameter then an attacker could put malicious code in here and trick someone into loading the malicious URL. In this example,
www.example.com?search=<script> ... </script> would cause the page to run any code that the attacker wants. This code can view any information and perform any action that the user could perform on their own, so it is very dangerous.
When the "X-XSS-Protection" header is set, and the browser detects executable code in the URL, it will automatically sanitize the webpage and prevent the attack from happening. This header works for Safari as well as some older web browsers, so we recommend including it. For more information about the possible values for this header, please read our documentation for the X-XSS-Protection Header.Stored XSS Attacks