What is X-XSS-Protection

Leon Wimmenhoeve
April 27, 2022
10:47 am

X-XSS-Protection [DEPRECATED]

The X-XSS-Protection security header is a legacy header that was created to control the browser’s built-in protection against Reflected Cross-Site Scripting (XSS) attacks. In the past, XSS protection was built into Internet Explorer, Chrome, Edge, and Safari. Firefox never implemented XSS protection.

When a browser with built-in and activated XSS protections detected an XSS attack, the browser would automatically remove the unsafe scripts from the page.

X-XSS-Protection Options

The X-XSS-Protection header has the following options:

0 -> Disable XSS filtering
1 -> Enable XSS filter mode (remove unsafe scripts)
1; mode=block -> Enable XSS block mode (block loading of pages with unsafe scripts)
1; report=<reporting-URI> -> Enable XSS filter mode and report violations to the provided URL

X-XSS-Protection Problems

The problem with the XSS Protection is that it introduced new possibilities for cross-site information leak attacks. Because of this, in 2016 the XSS auditor in Chrome switched from filter mode to block mode; which completely blocked loading of a page when an XSS attack was detected.

Not long after this change, security researchers found different ways to abuse the XSS auditors block mode to steal information like tokens from web sessions. There were also numerous issues with falsely blocked legitimate scripts. Because of these issues, Chrome switched back to filter mode in 2019 and thereby reintroduced the cross-site information leak vulnerabilities.

Within three months Chrome removed their XSS auditor altogether, after Edge had already done the same for their XSS filter in 2018. The consensus among security researchers is that XSS protection in browsers is best disabled and that the Content Security Policy (CSP) header should instead be used to mitigate XSS vulnerabilities.

NOTE: Really Simple Security Pro sets the X-XSS-Protection header to the recommended value of “0” (= disable XSS filtering) by default, from version 5.4 onwards (since May 2022).

Sources:

https://owasp.org/www-project-secure-headers/#x-xss-protection

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

https://scotthelme.co.uk/deprecating-xss-reports

https://www.virtuesecurity.com/understanding-xss-auditor

Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.

In this article

Definitions

What is Two-Factor Authentication?

What are CAA records

What is Let’s Encrypt?

What are Application Passwords?

What is Cross-site Scripting?

What is a Content Security Policy?

What is a Permissions Policy?

What are Recommended Security Headers?

What are Hardening Features?

What are Cross Origin Policies?

What is a TLS protocol?

What are Secure Cookies?

Categories

Most popular

Configuring Really Simple Security with WP-CLI

How to Fix The “Link you followed has Expired” error on WordPress

404 Not Found errors detected on your homepage

Protecting site visitors with Security Headers

Hardening your website’s security

Why WordPress is (in)secure

Staying ahead of vulnerabilities

Our journey towards Really Simple Security

What is X-XSS-Protection

X-XSS-Protection [DEPRECATED]

X-XSS-Protection Options

X-XSS-Protection Problems

Sources:

Join our mailing list - 6 Tips & Tricks in your inbox over the next days!

Plugins

Get Started

About

Popular articles