This header tells the browser to help out with protecting the user from cross-site scripting.

The header X-XSS-Protection protects the user from reflected cross-site scripting attacks but it isn't a full protection against xxs attacks so you still need to protect against it with other methods like input and output cleaning.

There is three possible directives for this header:

  • 0 - (zero), disable it. Make sure to specify Reflected-XSS directive in the header Content-Security-Policy instead.
  • 1  - allow the browser to sanitize the page by removing the unsafe parts. Usually default at browsers but opens up the site to a false-positive attack making the browser removes your own scripts from the page and in worst case making it more vulnerable.
  • 1; mode=block - if browsers detects an attack it will not render the page at all.

And you can also add

  • ; report=<reporting-URI> when using the "1" option. If an attack is detected the browser will sanitize or block depending on the mode you selected and then send a report to the URI specified. If you don't like to set up that reporting endpoint yourself you can use https://report-uri.com/.

This header can mostly be replace with Content-Security-Policy but it works on older browsers so it can be a good fallback.

HTTP Header Tester: X-XSS-Protection

Adding it can look like this:

<add name="X-XSS-Protection" value="1;mode=block"/>

Read more about: How to add headers to your .net site

Previously in the Security Headers series: Strict Transport Security

Next up in the Security Headers series: X-Frame-Options