In this lesson, we'll study how the X-XSS-Protection header can be used to mitigate XSS attacks.

We'll cover the following


Although superseded by CSP, the X-XSS-Protection header provides a similar type of protection. Unsupported by Firefox, this header is used to mitigate XSS attacks in older browsers that don’t fully support CSP.

The syntax is very similar to what we’ve just seen.

X-XSS-Protection: 1; report=http://xssviolations.example.com/collector

Trying it out

Reflected XSS is the most common type of attack, where an unsanitized input is printed by the server without any validation. Here is where this header truly shines. If you have an older version of Chrome (77 or below) and want to see this in action, I would recommend trying out the example below, by appending xss=on to the generated URL. It shows what a browser does when XSS protection is turned on.

This will not work with newer versions of Chrome

Get hands-on with 1200+ tech skills courses.