Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.
X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong
Warning: Even though this feature can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. See the section below for more information.
- Chrome has removed their XSS Auditor
- Firefox has not, and will not implement
- Edge has retired their XSS filter
This means that if you do not need to support legacy browsers, it is recommended that you use
Content-Security-Policy without allowing
unsafe-inline scripts instead.
|Header type||Response header|
|Forbidden header name||no|