- September 12, 2023: Separated finding messages.
- February 14, 2022: Linked to the OWASP cheat sheet.
- August 31, 2018: Published.
Optional for both HTTP/1.0 and HTTP/1.1
Setting X-XSS-Protection to “FIELD” helps to prevent against common cross-site scripting attacks by filtering and blocking suspected malicious scripts. For the first directive, “0” disables XSS protection on the client side and “1” enables XSS protection. “mode = block” prevents the browser from loading pages potentially compromised by XSS. The report directive can either be a path or a URL.
For more information about this directive, see:
- OWASP, “Cross Site Scripting Prevention Cheat Sheet”
- Veracode Guidelines for Setting Security Headers
See finding messages.