X-XSS Protection

Learn how the X-XSS Protection header controls browser-side filtering of reflected Cross-Site Scripting (XSS) attacks.

The X-XSS Protection feature adds the X-XSS-Protection header to viewer responses. This header instructs compatible browsers to enable their built-in XSS filtering mechanisms. While most modern browsers now ignore this header, the setting can still provide protection for legacy browsers that rely on it.

The feature does not modify origin requests or affect CDN caching behavior.

How X-XSS Protection Works

You can configure X-CDN Header in the Medianova Control Panel or via API

When enabled:

The CDN adds the following header to viewer-facing responses:
```
X-XSS-Protection: 1; mode=block
```
Browsers that still support the header will block pages that trigger reflected XSS heuristics.
If disabled, the CDN does not include the header, and browsers revert to their default behavior.

This feature is primarily relevant for environments that depend on legacy browser compatibility.

Use Cases

Legacy browser support

Provide reflected-XSS filtering for older browsers that still honor the header.

Controlled security posture

Ensure consistent browser behavior across mixed device environments or corporate networks with outdated browser fleets.

Notes

Modern browsers (Chrome, Edge, Safari) ignore X-XSS-Protection and instead rely on CSP (Content-Security-Policy) for XSS mitigation.
This feature affects only viewer responses, not origin requests.
Enabling the header does not prevent stored or DOM-based XSS attacks.

PreviousX-Frame Options NextX-Content Type Options

Last updated 15 days ago

Was this helpful?