cómo configurar el encabezado Http X-XSS-Protection

I have tried to put this:

   <meta http-equiv="X-XSS-Protection" content="0">

en el objeto <head> tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting

preguntado el 08 de enero de 11 a las 18:01

Try sending it as an HTTP header, maybe? -

How do I do that? sorry Im new to setting headers -

6 Respuestas

I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

In PHP, you'd do it like

header("X-XSS-Protection: 0");

In ASP.net:


In Apache's config:

Header set  X-XSS-Protection  0

In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.

Respondido el 08 de enero de 11 a las 21:01

Correct, it's not supported as a HTTP header. - EricLaw

do I add this to the .htaccess file within the root dir of my site? - Aly

If you want it to apply to the whole site, yes. - cHao

I have tried this in Coldfusion: <cfheader name="X-XSS-Protection" value="0"> But it's not working for me. Any idea about Coldfusion? - Adil Malik

@AdilMalik: Sorry, i've never had to work with CF. The docs look like that'd be right, though. Is the header just not showing up in the response, or is there an error, or what? - cHao

If you are using .Net MVC you can configure it through customHeaders in Web.Config.

To add these headers, go to the httpprotocol node and add those headers inside the customHeaders nodo.

        <remove name="X-Powered-By"> 
           <add name="X-XSS-Protection" value="1; mode=block"></add>

I highly recommend this link that explain how can you can configuring Secure IIS Response Headers in ASP.NET MVC: http://insiderattack.blogspot.com/2014/04/configuring-secure-iis-response-headers.html

Respondido 09 Jul 18, 19:07

tag closing was wrong you need to put those two lines inside customheaders tag <remove name="X-Powered-By" /> <add name="X-XSS-Protection" value="1; mode=block" /> - Shady Mohamed Sherif

@shadyshrif tag closing are fine on the code. Take a look: </add></remove> - equiman

@mahmoud-samy please stop editing incorrectly this answer. Auto close tags isn't the solution, you close remove tag before add and it's wrong. Please take a look to the link that i posted. Are you tested the solution that you trying edit?. - equiman

@Equiman I've changed it after trying the existing answer. The suggested changes are actually running in production now. - Mahmoud Samy

Changes suggested by shady sheriff are correct other wise it shows error. - ABB

In Apache, you need to edit the config file, this file could be:



In the file you can add these lines at the end to enable HTTP Header XSS Protection:

<IfModule mod_headers.c>
    Header set X-XSS-Protection: "1; mode=block"

Nota: si mod_headers is external to the main Apache core (not compiled into Apache) then you would use .so más bien que .c - ie. <IfModule mod_headers.so>

After that, save changes, and restart apache with:

Sudo service apache2 restart


sudo service httpd restart

¡Espero que esto ayude! :)

Respondido el 23 de diciembre de 15 a las 04:12

I know this has been a long time ago but I came across it while searching for something and I don't think you put the : después de la Protection if you are putting this inside a .htaccess file, do you? - GµårÐïåñ

In ASP Classic, this tag will do it:

<% Response.AddHeader "X-XSS-Protection", "1" %>

contestado el 05 de mayo de 16 a las 13:05

I'm using ASP web forms, Where should I need to add this? - Sachith

In some cases, if you use .htaccess, you will need to use double quotes:

Header set x-xss-protection "1; mode=block"

contestado el 12 de mayo de 20 a las 03:05

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

This header is exclusive to Internet Explorer 8 and 9, it turns on cross site scripting protection in IE 8 and IE 9 which is turned off by default as it could potentially break some websites. To turn on the XSS filter, use the header X-XSS-Protection "1; mode=block". If you wish to prevent this filter from being turned on for your website set the headers value to "0";


Respondido 21 Oct 15, 21:10

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.