Skip to content

X‐XSS‐Protection

Marthijn van den Heuvel edited this page Aug 19, 2024 · 5 revisions

The HTTP X-XSS-Protection response header was a feature of Internet Explorer, Chrome and Safari that stopped pages from loading when they detected reflected cross-site scripting (XSS) attacks.

⚠️ This header is non-standard and is not on a standards track. Do not use it on production sites facing the web: it will not work for every user.

Usage

Header

Default usage (i.e. 1; mode=block):

app.UseXXssProtection();

With options:

app.UseXXssProtection(new XXssProtectionHeaderOptions
{
    Enabled = true,
    Block = true,
});
app.UseXXssProtection(new XXssProtectionHeaderOptions
{
    Enabled = true,
    ReportUri = "/Home/Report",
});

References

Clone this wiki locally