A legacy header that activated the browser's built-in XSS auditor. Modern browsers have removed this feature entirely — but the header still matters if set incorrectly.
Years ago, Internet Explorer introduced an "XSS auditor" — a browser-level filter that tried to detect and block reflected Cross-Site Scripting attacks in real time. The X-XSS-Protection header was a way for site owners to configure this auditor.
The problem: the auditor was imperfect. Researchers discovered that certain configurations could actually introduce new vulnerabilities by exposing information about page content through the auditor's behaviour. Chrome removed its XSS auditor in 2019. Firefox never implemented it. Safari removed it. It is now effectively a dead feature.
However, the header still deserves attention because setting it to anything other than 0 in older browsers could trigger the faulty auditor and cause problems. The correct action today is to explicitly disable it.
Imagine a smoke detector model that was recalled because it occasionally triggered gas leaks when it detected smoke. The right move isn't to keep using it — it's to remove it and install the modern replacement system. That's where we are with the XSS auditor.
X-XSS-Protection: 1; mode=block
In modern browsers, this is silently ignored. In older IE/Edge browsers, this enables the auditor which has known vulnerabilities. Setting this gives false confidence without real protection.
Not a major risk since modern browsers ignore the feature, but it's a loose end. Worth setting explicitly so your server's behaviour is intentional and documented.
X-XSS-Protection: 0
Explicitly tells any browser that may still have the auditor to turn it off. Safe, intentional, and the recommendation from security researchers and major browser vendors.
The correct, modern replacement for the XSS auditor is a well-configured Content Security Policy. A CSP is enforced by all modern browsers and is far more powerful — it defines exactly which scripts are allowed to run, preventing injected scripts from executing even if they get onto the page.
See our Content-Security-Policy guide →
add_header X-XSS-Protection "0" always;
Header always set X-XSS-Protection "0"
Use Transform Rules → Modify Response Header. Add X-XSS-Protection with value 0.
const helmet = require('helmet');
app.use(helmet()); // Sets X-XSS-Protection: 0 by default since Helmet v4