<SaaSalyst/>Beta
Scan Your App
lowSecurity & Infrastructure

X-XSS-Protection

X-XSS-Protection is a deprecated browser security header. Chrome removed its XSS Auditor in 2019. SaaSalyst checks this header as part of a security header audit but treats it as low severity — the modern best practice is to set it to 0 or omit it entirely.

What SaaSalyst Checks

SaaSalyst inspects the HTTP response headers for the X-XSS-Protection header. The modern recommendation is X-XSS-Protection: 0 (which passes). Setting it to 1; mode=block also passes with a note. Setting it to 1 without mode=block triggers a warning. An absent header passes — its absence is not a security concern.

Why This Matters

X-XSS-Protection was introduced by Internet Explorer and later adopted by Chrome and Safari to enable built-in XSS filtering. Chrome removed its XSS Auditor entirely in 2019 (Chrome 78), and other browsers followed suit.

The header is now considered deprecated. Setting X-XSS-Protection: 1 without mode=block can actually introduce vulnerabilities in some edge cases. The recommended approach is to set it to 0 and rely on Content-Security-Policy for XSS protection.

SaaSalyst rates this header as low severity because it has minimal security impact in modern browsers.

How to Fix It

  1. Set X-XSS-Protection: 0 in your server responses (modern best practice).
  2. Alternatively, omit the header entirely — its absence is not a security concern.
  3. If you currently have X-XSS-Protection: 1, either add mode=block or switch to 0.
  4. Ensure you have a strong Content-Security-Policy header for actual XSS protection.

Frequently Asked Questions

How does SaaSalyst check for X-XSS-Protection?

SaaSalyst inspects your server's HTTP response headers for the X-XSS-Protection header. The scanner evaluates the value: 0 passes (modern best practice), 1; mode=block passes with a note, 1 alone triggers a warning, and an absent header passes.

Is X-XSS-Protection still relevant?

X-XSS-Protection is deprecated. Chrome removed its XSS Auditor in 2019. SaaSalyst still checks for it as part of a complete security header audit, but rates it as low severity. Content-Security-Policy provides modern XSS protection.

How does X-XSS-Protection affect my Business Readiness Score?

SaaSalyst rates X-XSS-Protection as low severity in Security & Infrastructure. The header is deprecated and its absence does not reduce your score.

Check Your SaaS Now | Free

SaaSalyst scans your website in 30 seconds and checks for X-XSS-Protection along with 101+ other business readiness signals.

Scan Your App

Related Checks SaaSalyst Runs