Web Browser XSS Protection Not Enabled

Why it can be dangerous and how to fix it

This article is a part of our Web Security Knowledge Base (back to index)

Why Web Browser XSS Protection Not Enabled can be dangerous

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the ‘X-XSS-Protection’ HTTP response header on the web server. Hackers use XSS attacks to trick trusted websites into delivering malicious content.

How to fix Web Browser XSS Protection Not Enabled

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to ‘1’.

The following values would attempt to enable Web Browser XSS Protection:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

How does ScanRepeat report Web Browser XSS Protection Not Enabled

ScanRepeat analyzes HTTP responses looking for ‘X-XSS-Protection’ header and checks if its value is correctly enabling web browser XSS protection. Note that ScanRepeat raises this alert if the response body can potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free