Security Plugins Hub

Bring your software development workflows to security


Reflected XSS browser protection

Signals & Triggers

On request


  • Set the header Set the header


Cross-site scripting (XSS) is one of the most common and dangerous type attacks on the web, as it is often used to inject malicious code into your app to extract data about a logged in user, or take advantage of their user privileges to perform actions they shouldn’t be able to perform.

Setting the X-XSS-Protection header authorizes the client browsers to block attackers from reflected XSS attacks. The X-XSS-Protection header - set on the server side - highly improves the protection of web applications against cross-site scripting (XSS).

When a XSS attack is detected, you can either choose to sanitize the page by removing the unsafe parts (default behaviour when set); or prevent the browser from rendering the page (mode block).

While we highly recommand to setup a Content Security Policy (CSP) to prevent XSS to happen, this header is a good and simple first step.

Advanced details

This plugin can automatically set the X-XSS-Protection header to the configured value in HTTP responses.

By instrumenting the HTTP server running in your application, Sqreen can inject the right value at runtime without requiring any code change nor deployment.

The value and the plugin status can be changed anytime from the plugin page.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen


No data collected

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java
  • Go
  • .net
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

$ curl -s > && bash your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

$ curl -o sqreen.jar

Request your beta access for the Go agent Request beta
Get notified when the .net agent releases Notify me

Build amazing products. Keep them safe.

5 min installation · Try all features for 14 days · No credit card required Sign up Request demo