The X-Xss-Protection Header allows you to leverage browser-based protections against cross-site scripting. This should be implemented on your web servers to protect your users and increase user trust in your site. Your policy should be set in blocking mode when possible to ensure the browser blocks a page if cross-site scripting is detected.


X-Xss-Protection allows you to protect users whose browsers do not support Content Security Policy (generally older browsers), or protect users if you do not have a Content Security Policy.

Add the following in nginx.conf under http block:

add_header X-XSS-Protection "1; mode = block"


Verify the header is enabled and configured by issuing the following command:

grep X-XSS-Protection /etc/nginx/nginx.conf

The output should include the below at a minimum:

add_header "X-XSS-Protection" "1; mode=block";

Optionally you may configure your policy to report to a reporting URI when violations of this policy occur. You can do this by leveraging the report directive.