Missing X-XSS-Protection
Description
The X-XSS-Protection header is an older defense mechanism that tells compatible browsers to activate their built-in Cross-Site Scripting (XSS) filter. Without it, certain legacy browsers might not block or sanitize malicious scripts injected into web pages, leaving users susceptible to XSS attacks. This vulnerability can be exploited by attackers to steal session cookies, deface web content, or redirect victims to malicious sites. In environments where the header could still offer additional protection, its absence increases the likelihood of client-side code execution. While modern browsers have phased out or deprioritized this feature, failing to set X-XSS-Protection can still matter for older or enterprise-specific browser deployments that rely on it.
Remediation
Configure the X-XSS-Protection header (e.g., 'X-XSS-Protection: 1; mode=block') if your user base includes older browsers that benefit from this feature. However, be aware that most modern browsers have deprecated this header, so consider pairing it with more robust protection strategies such as Content Security Policy (CSP) and proper input validation. For comprehensive coverage, ensure any reverse proxies or load balancers preserve this header, and utilize a Web Application Firewall (WAF) or network firewall to detect and block XSS payloads at the perimeter. Regularly review your application’s security posture, especially when supporting mixed browser environments, to prevent script injection and client-side attacks.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protectionhttps://owasp.org/www-community/attacks/xss/Severity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4