Security Hub

Bring your software development workflows to security


Reflected XSS browser protection

Signals & Triggers

On request


  • Set the http header


Cross-site scripting (XSS) is one of the most common and dangerous type attacks on the web, as it is often used to inject malicious code into your app to extract data about a logged in user, or take advantage of their user privileges to perform actions they shouldn’t be able to perform.

Setting the X-XSS-Protection header authorizes the client browsers to block attackers from reflected XSS attacks. The X-XSS-Protection header - set on the server side - highly improves the protection of web applications against cross-site scripting (XSS).

When a XSS attack is detected, you can either choose to sanitize the page by removing the unsafe parts (default behaviour when set); or prevent the browser from rendering the page (mode block).

While we highly recommand to setup a Content Security Policy (CSP) to prevent XSS to happen, this header is a good and simple first step.

Advanced details

This plugin can automatically set the X-XSS-Protection header to the configured value in HTTP responses.

By instrumenting the HTTP server running in your application, Sqreen can inject the right value at runtime without requiring any code change nor deployment.

The value and the plugin status can be changed anytime from the plugin page.

Language support

  • Node.js
  • PHP
  • Ruby
  • Python
  • Java

Data collected by Sqreen

No data collected

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Free Trial Request demo