API Pricing RU Sign In

Site Analysis

HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS

DNS DNS Propagation WHOIS SSL CMS Detector

Network

Ping Traceroute IP ASN Lookup IP/CIDR Calculator

Security

Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content SEO Audit Schema Checker Site Comparison

SEO & AI

Robots.txt AI Readiness llms.txt Keywords

Utilities

Formatter Cron Tester JWT Decoder TTL Calculator Batch Heartbeat Status Pages

Information

API Documentation Articles Pricing Help Contact

RU Sign In Sign Up

Home / HTTP Headers / X-XSS-Protection

← All HTTP Headers

Security

X-XSS-Protection

Legacy header that enabled the browser's built-in XSS filter. Now deprecated in favor of Content-Security-Policy.

Syntax

X-XSS-Protection: 0 | 1 | 1; mode=block

Example

X-XSS-Protection: 0

Description

X-XSS-Protection enabled the XSS filter in older browsers. Values: 0 (disable), 1 (enable), 1; mode=block (block page on detection).

Recommended modern value is 0 — the filter itself can introduce vulnerabilities.

Deprecated. Modern browsers removed the XSS auditor. Use Content-Security-Policy instead.

Check if your website sends this header correctly

Check your headers →

Web Server Security Hardening Checklist: Nginx and Apache

Complete web server hardening checklist for nginx and Apache. File permissions, security headers, TLS configuration, access control, and monitoring.

Security Headers: CSP, HSTS, X-Frame-Options and More

How to protect your website with HTTP security headers. Configuring Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and other headers.

Related Headers

Content-Security-Policy

Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.

Cross-Origin-Opener-Policy

Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.

Cross-Origin-Resource-Policy

Restricts which origins can load a resource, preventing unauthorized cross-origin reads.

Permissions-Policy

Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.

Referrer-Policy

Controls how much referrer information is included with requests, balancing privacy with analytics needs.

Strict-Transport-Security

Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

Start monitoring for free

Create Account API Documentation

⚡

enterno.io

Website monitoring and analysis tools

Site Analysis HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS & Network DNS Lookup DNS Propagation WHOIS SSL Check CMS Detector Ping & Ports Traceroute IP Geolocation ASN Lookup IP/CIDR Calculator

Security Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content

SEO & AI & Utilities Robots.txt AI Readiness llms.txt Keywords SEO Audit Schema Checker Site Comparison Formatter Cron Tester JWT Decoder TTL Calculator Batch Check

Service API Documentation Pricing Help Compare Articles HTTP Headers Reference HTTP Status Codes Contact Privacy Policy Terms of Service Heartbeat Status Pages

PHP 8.4 · Hosting: Russia