Quiz Entry - updated: 2026.06.26
What does X-XSS-Protection: 1; mode=block do, and should you still use it?
It was an old browser-built-in heuristic XSS filter — "if you detect a reflected XSS attempt, refuse to render the page rather than just sanitising."
Today the answer is to remove it entirely (or set X-XSS-Protection: 0):
- Chrome removed the filter in 2019. Firefox never had one. Safari deprecated theirs.
- The filter caused real XSS bugs of its own (e.g. universal-XSS via mis-sanitisation).
- Modern XSS defense is Content-Security-Policy (CSP) — proper script-source allowlists, nonces, and
'strict-dynamic'— plus correct output encoding in templates.
It's worth knowing for historical completeness — you'll still see it in old configs and security scanners may flag its absence, but treat it as a curiosity.
Tip: If you see X-XSS-Protection in an audit report's "missing headers" section, push back. The correct modern advice is CSP, not this header.