securityheaders.fyi
Legacy & misc

X-XSS-Protection

Build a config with this header →

The old browser "XSS auditor" this header controlled was itself a source of vulnerabilities and has been removed from modern browsers. Current best practice — and what security scanners expect — is to send 0, which explicitly disables it, and rely on a strong Content-Security-Policy instead. Don't use 1; mode=block. MDN

Example

X-XSS-Protection: 0

Options

OptionTypeDefaultNotes
value select (0 / 1; mode=block) 0

Scoring

Contributes up to 2 points to your grade (a bonus header — not required for an A+).

Full specification on MDN ↗