Home » Definitions » What is X-XSS-Protection

What is X-XSS-Protection

Leon Wimmenhoeve
April 27, 2022
10:47 am

[DEPRECATED] The X-XSS-Protection security header was created to control the built-in protection against Reflected Cross-Site Scripting (XSS) attacks in web browsers. In the past XSS protection was built into Internet Explorer, Chrome, Edge, and Safari. Firefox never implemented XSS protection. When a browser with built-in and activated XSS protections detected an XSS attack, the browser would remove the unsafe scripts from the page.

Options

The X-XSS-Protection header has the following options: 0 -> Disable XSS filtering 1 -> Enable XSS filter mode (remove unsafe scripts) 1; mode=block -> Enable XSS block mode (block loading of pages with unsafe scripts) 1; report=<reporting-URI> -> Enable XSS filter mode and report violations to the provided URL

Problems

The problem with XSS protection is that is introduces new possibilities for cross-site information leak attacks. Because of this in 2016 the XSS auditor in Chrome switched from filter mode to block mode that completely blocked loading of a page when XSS was detected. Not long after this change, security researchers found different ways to abuse the XSS auditors block mode to steal information like tokens from web sessions and there were also numerous issues with falsely blocked legitimate scripts. Because of these issues, Chrome switched back to filter mode in 2019 thereby reintroducing the cross site information leak vulnerabilities. Within three months Chrome removed their XSS auditor altogether after Edge had already done the same for their XSS filter in 2018. Currently (May 2022) only Internet Explorer and Safari still have built-in XSS protection. The consensus among security researchers is that XSS protection in browsers is best disabled and that the Content Security Policy header (CSP) is used to mitigate XSS vulnerabilities.

References

https://owasp.org/www-project-secure-headers/#x-xss-protection https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection https://scotthelme.co.uk/deprecating-xss-reports https://www.virtuesecurity.com/understanding-xss-auditor NOTE: When enabled, Really Simple SSL Pro will set this header to “0” (disable XSS filtering) from version 5.4 onwards (May 2022).

Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.

In this article

Definitions

What is Two-Factor Authentication?

What is Let’s Encrypt?

What are Application Passwords?

What is Cross-site Scripting?

What is a Content Security Policy?

What is a Permissions Policy?

What are Recommended Security Headers?

What are Hardening Features?

What are Cross Origin Policies?

What is a TLS protocol?

What are Secure Cookies?

What are User Enumeration Attacks?

Categories

Most popular

Configuring Really Simple Security with WP-CLI

How to Fix The “Link you followed has Expired” error on WordPress

404 not found errors

Protecting site visitors with Security Headers

Hardening your website’s security

Login protection as essential security

Why WordPress is (in)secure

Staying ahead of vulnerabilities

Password has been found in a data breach

Preventing the use of compromised passwords

Our journey towards Really Simple Security

What is X-XSS-Protection

Options

Problems

References

Join our mailing list - 6 Tips & Tricks in your inbox over the next days!

Plugins

Get Started

About

Popular articles