Crashtest Security Blog

X-XSS-Protection retired, what to do instead?

Dec 15, 2020 5:30:00 PM / by Leon O'Neill

As a vulnerability scanning software we have to constantly develop to keep up with the latest threats and updates. Recently we removed support for the X-XSS-Protection header. 

What does the X-XSS-Protection header do?

The X-XSS-Protection header enables a XSS detection feature in the browser, which prevents some categories of XSS attacks.

Why is it being removed?

Some browsers phased out support for X-XSS-Protection in 2019 (Chrome and Edge) and this trend continued in 2020, therefore it has become redundant except for legacy browsers. 

What browsers still support it?



Source: Firefox

You can stay up to date with the latest data here: https://github.com/mdn/browser-compat-data

What to do instead?

Enabling a strong content-security-policy header will offer you protection against XSS. You can read more about enabling security headers here: https://wiki.crashtest-security.com/enable-security-headers

 

 

 

Leon O'Neill

Written by Leon O'Neill

Marketing @ Crashtest Security

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics