SaaSalystSaaSalystBeta
Scan Your App
lowSecurity & Infrastructure

X-XSS-Protection

X-XSS-Protection is a legacy browser security header that instructs older browsers to block reflected XSS attacks. SaaSalyst checks whether your server sends this header as part of a complete security header audit.

What SaaSalyst Checks

SaaSalyst inspects the HTTP response headers from your server for the X-XSS-Protection header. The scanner checks for its presence — if found, the check passes; if absent, it triggers a warning.

Why This Matters

X-XSS-Protection was introduced by Internet Explorer and later adopted by Chrome and Safari to enable built-in XSS filtering. While modern browsers have deprecated this header in favor of Content-Security-Policy, it remains relevant for users on older browsers.

For complete security header coverage, including X-XSS-Protection signals to enterprise security auditors that your application has addressed the full OWASP recommended header set.

The recommended value is '1; mode=block', which instructs the browser to block the page if an XSS attack is detected rather than sanitizing the script.

How to Fix It

  1. Add the X-XSS-Protection header to your server responses: X-XSS-Protection: 1; mode=block.
  2. For Vercel or Next.js, configure this in next.config.js headers section or vercel.json.
  3. Note: modern browsers have deprecated this header. Pair it with a strong Content-Security-Policy for full XSS protection.

Frequently Asked Questions

How does SaaSalyst check for X-XSS-Protection?

SaaSalyst inspects your server's HTTP response headers for the X-XSS-Protection header. Its presence indicates legacy XSS filtering is enabled for older browsers.

Is X-XSS-Protection still relevant?

X-XSS-Protection is deprecated in modern browsers but SaaSalyst still checks for it as part of a complete security header audit. A Content-Security-Policy header provides stronger, modern XSS protection.

How does X-XSS-Protection affect my Business Readiness Score?

SaaSalyst rates X-XSS-Protection as low severity in Security & Infrastructure. It's a legacy header but its absence is still noted during security audits.

Check Your SaaS Now — Free

SaaSalyst scans your website in 30 seconds and checks for X-XSS-Protection along with 40+ other business readiness signals.

Scan Your App

Related Checks SaaSalyst Runs