Product SiteDocumentation Site

3.2.5. X-XSS-Protection

Modern browsers usually come with built-in XSS filter, that is enabled by default. Originally IE 8 introduced new XSS filter and this header was created to give web application developers way to turn this feature off in case it breaks functionality of the web application for users. Later this concept was also adpoted by Webkit, which implements its own XSS filter.
XSS filter does not prevent XSS attacks by blocking malicious scripts, but rather tries to identify untrusted scripts and transform them into benign strings. Heuristics that identify untrusted scripts usually try to match scripts embedded within request to those included in response. If the script matches, browser assumes the script included in the content is not trusted, as it is most probably not part of the content of the application, but rather included as user-supplied parameter. This means XSS filters are effective only against reflective XSS, not other variants.
Setting value of the header to 1 should re-enable XSS filter, in case it was disabled by user.
X-XSS-Protection: 1
Sanitization of scripts by converting them to benign strings has been source of bugs and security vulnerabilities - sanitization in IE8 XSS filter has been found counterproductive as it actually introduced XSS vulnerabilities in websites that were previously not vulnerable to XSS (including,, and others. For details, see whitepaper by Eduardo Vela Nava and David Lindsay Abusing Internet Explorer 8's XSS Filters ).
To remedy this, extension to the X-XSS-Protection header was introduced:
X-XSS-Protection: 1; mode=block
With mode set to block browser will outright block any script found untrusted instead of trying to sanitize and display it. References