X-XSS-Protection header disabled

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 OWASP PC-C1 CWE-16 HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-15

The X-XSS-Protection response header is one of the major features of most of the web browsers to stop cross-site scripting. It stops the pages from loading when they detect reflected cross-site scripting attacks. It is found that the X XSS Protection header is disabled in the application. This application is at risk due to its vulnerability to Cross-site Scripting attacks.The X-XSS-Protection header is designed to enable the cross-site scripting filter built into modern web browsers.

    X-XSS-Protection: 0                              # Disable XSS filtering
    X-XSS-Protection: 1                              # Enables filtering. If cross site scripting detected - the browser will sanitise
    X-XSS-Protection: 1; mode=block                  # Under this mode, when cross site scripting detected - the browser wont render the page
    X-XSS-Protection: 1; report=<reporting-uri>        # Enables filtering, when detected - the browser will sanitise and report the violation



    X-XSS-Protection: 1; mode=block



The major impact for this violation is cross-scripting attacks.

Mitigation / Precaution

The only mitigation is to enable the X-XSS-Protection and set the value to 1.


    header("X-XSS-Protection: 1; mode=block");


Apache (.htaccess)

    <IfModule mod_headers.c>
      Header set X-XSS-Protection "1; mode=block"



    add_header "X-XSS-Protection" "1; mode=block";


Latest Articles