# X-XSS Protection

The X-XSS Protection feature adds the `X-XSS-Protection` header to viewer responses. This header instructs compatible browsers to enable their built-in XSS filtering mechanisms. While most modern browsers now ignore this header, the setting can still provide protection for legacy browsers that rely on it.

The feature does not modify origin requests or affect CDN caching behavior.

## How X-XSS Protection Works

You can configure X-CDN Header in the [Medianova Control Panel](https://cloud.medianova.com) or via [API](https://clients.medianova.com/api-documentation/performance-cdn/headers#put-api-v1-cdn-organization_uuid-resource-resource_uuid-6)

When enabled:

* The CDN adds the following header to viewer-facing responses:

  ```
  X-XSS-Protection: 1; mode=block
  ```
* Browsers that still support the header will block pages that trigger reflected XSS heuristics.
* If disabled, the CDN does not include the header, and browsers revert to their default behavior.

This feature is primarily relevant for environments that depend on legacy browser compatibility.

<figure><img src="https://542970813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtK7oIwmhUHdEJcaH4Hx8%2Fuploads%2FkHNeZxviUtbbsIMDKwCO%2Fimage.png?alt=media&#x26;token=b2876486-a31f-426b-b952-3472a1196e7b" alt=""><figcaption><p>X-XSS Protection toggle inside the Headers tab</p></figcaption></figure>

### Use Cases

#### Legacy browser support

Provide reflected-XSS filtering for older browsers that still honor the header.

#### Controlled security posture

Ensure consistent browser behavior across mixed device environments or corporate networks with outdated browser fleets.

### Notes

* Modern browsers (Chrome, Edge, Safari) ignore `X-XSS-Protection` and instead rely on CSP (`Content-Security-Policy`) for XSS mitigation.
* This feature affects only **viewer responses**, not origin requests.
* Enabling the header does not prevent stored or DOM-based XSS attacks.