X-XSS-Protection Retired, What to Do Instead?

In this article:

As vulnerability scanning software, we have to constantly develop to keep up with the latest threats and updates. Recently we removed support for the X-XSS-Protection header.

What does the X-XSS-Protection header do?

The X-XSS-Protection header enables an XSS detection feature in the browser, which prevents some categories of XSS attacks, a common JavaScript vulnerability type.

Why is it being removed?

Some browsers phased out support for X-XSS-Protection in 2019 (Chrome and Edge), and this trend continued in 2020. Therefore it has become redundant except for legacy browsers.

What browsers still support it?

X-XSS-Protection Retired
Source: Firefox

You can stay up to date with the latest data here:

What to do instead?

Enabling a strong content-security-policy header will offer you protection against XSS. You can read more about enabling security headers here.

Read our XSS vulnerability prevention guide