As vulnerability scanning software, we have to constantly develop to keep up with the latest threats and updates. Recently we removed support for the X-XSS-Protection header.

Table of contents
  1. What does the X-XSS-Protection header do?
  2. Why is it being removed?
  3. What browsers still support it?
  4. What to do instead?

What does the X-XSS-Protection header do?

The X-XSS-Protection header enables an XSS detection feature in the browser, which prevents some categories of XSS attacks, a common JavaScript vulnerability type.

Why is it being removed?

Some browsers phased out support for X-XSS-Protection in 2019 (Chrome and Edge), and this trend continued in 2020. Therefore it has become redundant except for legacy browsers.

What browsers still support it?

X-XSS-Protection Retired
Source: Firefox

You can stay up to date with the latest data here: https://github.com/mdn/browser-compat-data.

What to do instead?

Enabling a strong content-security-policy header will offer you protection against XSS. You can read more about enabling security headers here.

See if Your Web App or API Has Security Vulnerabilities

SCAN FOR FREE NOW