X-XSS-Protection

Enabled Stop pages from loading when they detect reflected cross-site scripting (XSS).


The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({  // Global  security: {    headers: {      xXSSProtection: <OPTIONS>,    },  },  // Per route  routeRules: {    '/custom-route': {      headers: {        'X-XSS-Protection': <OPTIONS>      },    }  }})

You can also disable this header by xXSSProtection: false.

Default value

By default, Nuxt Security will set following value for this header.

X-XSS-Protection: 0

Available values

The xXSSProtection header can be configured with following values.

xXSSProtection: string | false;

0

Disables XSS filtering.

1

Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).

1; mode=block

Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.

1; report=<reporting-URI> (Chromium only)

Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

ℹ Read more about Vulnerabilities caused by XSS filteringhere.