It is a HTTP response header which is considered as a characteristic of Internet Explorer 8+, Chrome and Safari. This header is designed so as to enable the cross-site scripting (XSS) filter that is built into the modern web browsers.This header is mostly enabled by default, but using it would enforce it. This header provides a means of protection to the users who still use old browsers what lack privileges of having CSP (Content-Security-Policy) header.
Whenever there seems to be a chance of reflected XSS attacks or detection of such attacks, the browsers stop the loading of pages. The required configuration is to set this header to the recommended valid value that would help enable XSS protection thereby instructing the browser to block any response in the event that a malicious script has been inserted from user input, rather than sanitizing.
This header is easy to implement and thereby only requires a slight change to the web server configuration.
Enablement in Nginx:
add_header x-xss-protection “1; mode=block” always;
Enablement in Apache:
header always set x-xss-protection “1; mode=block”
Enablement on IIS:
In order to enable on IIS, we just simply add it to our site’s “Web.config” file.
<add name=”X-Xss-Protection” value=”1; mode=block” />
Or, we can even do the following so as enable on IIS;
- First open IIS Manager
- Then select the site for which we need to enable the header for
- Go to “HTTP Response Headers”
- Click on “Add” which is under actions
- Enter the name, value and then click Ok
- Restart IIS so as to view the results
Enablement in MaxCDN:
When using MaxCDN, addition of header is easy and on-the-fly.
First go to Edge Rules >> click on “New Rule” and then select “Add X-XSS-Protection Header” from the drop-down list.