The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

Header type Response header
Forbidden header name no


X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
Disables XSS filtering.
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI> (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.


Block pages from loading when they detect reflected XSS attacks:

X-XSS-Protection: 1;mode=block


header("X-XSS-Protection: 1; mode=block");

Apache (.htaccess)

<IfModule mod_headers.c> 
  Header set X-XSS-Protection "1; mode=block" 


Not part of any specifications or drafts.

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
X-XSS-Protection (Yes) (Yes) No support 8.0 (Yes) (Yes) No support
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
X-XSS-Protection (Yes) (Yes) (Yes) No support ? (Yes) (Yes)

See also

© 2005–2017 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.