What is X-XSS-Protection

[DEPRECATED] The X-XSS-Protection security header was created to control the built-in protection against Reflected Cross-Site Scripting (XSS) attacks in web browsers. In the past XSS protection was built into Internet Explorer, Chrome, Edge, and Safari. Firefox never implemented XSS protection. When a browser with built-in and activated XSS protections detected an XSS attack, the browser would remove the unsafe scripts from the page.

Options

The X-XSS-Protection header has the following options: 0 -> Disable XSS filtering 1 -> Enable XSS filter mode (remove unsafe scripts) 1; mode=block -> Enable XSS block mode (block loading of pages with unsafe scripts) 1; report=<reporting-URI> -> Enable XSS filter mode and report violations to the provided URL

Problems

The problem with XSS protection is that is introduces new possibilities for cross-site information leak attacks. Because of this in 2016 the XSS auditor in Chrome switched from filter mode to block mode that completely blocked loading of a page when XSS was detected. Not long after this change, security researchers found different ways to abuse the XSS auditors block mode to steal information like tokens from web sessions and there were also numerous issues with falsely blocked legitimate scripts. Because of these issues, Chrome switched back to filter mode in 2019 thereby reintroducing the cross site information leak vulnerabilities. Within three months Chrome removed their XSS auditor altogether after Edge had already done the same for their XSS filter in 2018. Currently (May 2022) only Internet Explorer and Safari still have built-in XSS protection. The consensus among security researchers is that XSS protection in browsers is best disabled and that the Content Security Policy header (CSP) is used to mitigate XSS vulnerabilities.

References

https://owasp.org/www-project-secure-headers/#x-xss-protection https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection https://scotthelme.co.uk/deprecating-xss-reports https://www.virtuesecurity.com/understanding-xss-auditor NOTE: When enabled, Really Simple SSL Pro will set this header to “0” (disable XSS filtering) from version 5.4 onwards (May 2022).