X-xss Protection Header Missing


The X-XSS-Protection header is not defined in header.


What is X-XSS-Protection header?
This header is used to configure the built in reflective XSS protection found in browsers (i.e. Internet Explorer, Chrome and Mozilla, etc) meaning that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. The basic syntax for this header:

X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

In cases when parameter value entered in a Web application through an un-trusted source, most frequently a web request, leads to cross site scripting attacking either stealing of data or modifying some data.


Configure this header for the web application ensuring correct values are set.
X-XSS-Protection: 1; mode=block
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
add_header "X-XSS-Protection" "1; mode=block";