X-Xss-Protection


What is XXP?

XXP is a HTTP response header that allows you to control the native XSS Auditor built into Chromium and Webkit based browsers.

Default configurations for the auditor may not be preferred and with reporting enabled you can learn if the browser is taking action to protect your users.


Getting Started

If you want to get started with XXP you can deploy a policy with a single HTTP response header. The suggested policy for getting started is shown below but we advise understanding what each policy mode does by reading the Useful Links section at the bottom:


X-Xss-Protection: 1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce


To deploy this header on your website you will need to update the subdomain in the example to your own subdomain, which you can find on the Setup page, and then set the header on your website. Here are some examples on how to do that depending on your platform or language of choice:


PHP
header('X-Xss-Protection: 1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce')


Nginx
add_header "X-Xss-Protection" "1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce"


Apache
Header set X-Xss-Protection "1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce"


IIS

Open IIS Manager and navigate to the level you want to manage, In Features View, double-click HTTP Response Headers. On the HTTP Response Headers page, in the Actions pane, click Add. In the Add Custom HTTP Response Header dialog box use the following name and value and then click OK.

Name: X-Xss-Protection

Value: 1; mode=block; report=https://{subdomain}.report-uri.com/r/d/xss/enforce


https://scotthelme.co.uk/introducing-xss-reporting-to-report-uri/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

https://scotthelme.co.uk/hardening-your-http-response-headers/