X-XSS-Protection

Legacy XSS filter in older browsers. 1; mode=block enabled filter. Deprecated; use CSP instead.

Response

Syntax

X-XSS-Protection: 0 | 1 | 1; mode=block

Example values

ValueExplanation
1; mode=blockFilter and block if XSS detected
0Disable (when using CSP)

cURL usage

curl -I https://example.com

Common mistakes

Can introduce vulnerabilities; prefer Content-Security-Policy.

Related headers

X-Content-Type-Options

Tools

HTTP Header Viewer →