LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What does X-XSS-Protection: 1; mode=block do, and should you still use it?

It was an old browser-built-in heuristic XSS filter — "if you detect a reflected XSS attempt, refuse to render the page rather than just sanitising."

Today the answer is to remove it entirely (or set X-XSS-Protection: 0):

  • Chrome removed the filter in 2019. Firefox never had one. Safari deprecated theirs.
  • The filter caused real XSS bugs of its own (e.g. universal-XSS via mis-sanitisation).
  • Modern XSS defense is Content-Security-Policy (CSP) — proper script-source allowlists, nonces, and 'strict-dynamic' — plus correct output encoding in templates.

It's worth knowing for historical completeness — you'll still see it in old configs and security scanners may flag its absence, but treat it as a curiosity.

Tip: If you see X-XSS-Protection in an audit report's "missing headers" section, push back. The correct modern advice is CSP, not this header.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026