jm Zå¾â.Ý¸Ñ ËbIw¥h2&*pßý.!üMSolutions : The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.
Header type Response header
Forbidden header name no
SyntaxSection
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1; mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI> (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.
ExampleSection
Block pages from loading when they detect reflected XSS attacks:
X-XSS-Protection: 1; mode=block
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Nginx
add_header "X-XSS-Protection" "1; mode=block";
https://whatsonchain.com/tx/4fb2ce010f98ac9cd58dc7b17573d9b5e4ea2923fb282916127ef0d667f485e1