Today I was reading “Everything you need to know about HTTP security headers”. The article gives a good overview on HTTP headers you can use to improve your web app security, including
I was wondering how many websites set the
X-XSS-Protection header (and to which value) given the fact there are some known issues around it, as explained here. Thus I’ve scripted a quick and dirty bash script to analyze the Alexa top 1000 domains landing pages and here is the result.
How many websites set the header?
The 23% of the Alexa top 1000 domains set the
X-XSS-Protection header in their landing pages. This sounds a pretty respectable number: there’s still much room for improvement, but 1 out of 4 websites use it.
What value is it set to?
As expected, the vast majority is setting it to
X-XSS-Protection: 1; mode=block, but there are a couple of big names - Facebook and Slack - explicitely disabling it, probably to overcome the issues explained here. Few websites - including YouTube, Netflix and Etsy - add the
report attribute as well (see MDN for more information).
The raw data
If you’re interested in the raw data, please download this file.