Security5 min read

How to Set the X-XSS-Protection Header

X-XSS-Protection is a deprecated header. The correct current guidance is to set it to 0 to disable the defunct browser XSS Auditor, and rely on Content Security Policy for XSS protection instead.

The X-XSS-Protection header is deprecated. The browser XSS Auditors it controlled have been removed from Chrome (2019), Safari (2022), and were never implemented in Firefox. The correct value to send today is 0 — which explicitly disables the defunct filter — while relying on Content Security Policy for actual XSS protection.

Use 0, Not 1Setting X-XSS-Protection: 1 or 1; mode=block provides no protection in modern browsers and can cause issues in legacy IE11 environments where the auditor's filter heuristics have known bypass and exploitation techniques. Always set it to 0.

The Correct Value

http
X-XSS-Protection: 0

Nginx

nginx
server { listen 443 ssl; server_name example.com; add_header X-XSS-Protection "0" always; # ... rest of config }
bash
sudo nginx -t && sudo systemctl reload nginx

Apache

apache
<VirtualHost *:443> <IfModule mod_headers.c> Header always set X-XSS-Protection "0" </IfModule> </VirtualHost>

Or in .htaccess:

apache
<IfModule mod_headers.c> Header always set X-XSS-Protection "0" </IfModule>
bash
sudo a2enmod headers && sudo systemctl reload apache2

IIS (web.config)

xml
<system.webServer> <httpProtocol> <customHeaders> <add name="X-XSS-Protection" value="0" /> </customHeaders> </httpProtocol> </system.webServer>

Caddy

Command
example.com { header X-XSS-Protection "0" # ... rest of config }

Cloudflare (Transform Rules)

  1. Go to RulesTransform RulesModify Response Header.
  2. Add a rule with Operation: Set, Header name: X-XSS-Protection, Value: 0.
  3. Deploy the rule.

Next.js

javascript
// next.config.mjs const nextConfig = { async headers() { return [ { source: '/(.*)', headers: [ { key: 'X-XSS-Protection', value: '0' }, ], }, ]; }, }; export default nextConfig;

What to Use Instead for XSS Protection

Actual XSS protection in modern browsers comes from a well-configured Content Security Policy. A strict CSP that limits script-src and disallows inline scripts prevents XSS far more effectively than any browser auditor ever could:

http
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'

Beyond CSP, the server-side fundamentals remain essential: input validation, output encoding, and avoiding direct injection of untrusted data into HTML templates.

Verifying the Header

bash
curl -I https://example.com | grep -i x-xss # Expected: x-xss-protection: 0

Or use the ShowDNS Security Headers Scanner.

Related Articles