X-XSS-Protection header invalid

Published on
19 Jun 2022
1 min read

The X-XSS-Protection response header is one of the major features of almost all famous web browsers to stop cross-site scripting. It stops the pages from loading when they detect reflected cross-site scripting attacks. This application does not have a recognising X-XSS-Protection header. This application is at risk due to its vulnerability to Cross-site Scripting attacks. The value of X-XSS-Protection header only is zero or one.

    X-XSS-Protection: 0                              # Disable XSS filtering
    X-XSS-Protection: 1                              # Enables filtering. If cross site scripting detected - the browser will sanitise
    X-XSS-Protection: 1; mode=block                  # Under this mode, when cross site scripting detected - the browser wont render the page
    X-XSS-Protection: 1; report=<reporting-uri>        # Enables filtering, when detected - the browser will sanitise and report the violation



    X-XSS-Protection: 1; mode=block



The major impact for this violation is cross-scripting attacks.

Mitigation / Precaution

Beagle recommends changing the X-XSS-Protection value to 0 or 1.


    header("X-XSS-Protection: 1; mode=block");


Apache (.htaccess)

    <IfModule mod_headers.c>
      Header set X-XSS-Protection "1; mode=block"



    add_header "X-XSS-Protection" "1; mode=block";

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment