Marco Pracucci

X-XSS-Protection in the wild

by Marco Pracucci Comments

Today I was reading “Everything you need to know about HTTP security headers”. The article gives a good overview on HTTP headers you can use to improve your web app security, including X-XSS-Protection.

I was wondering how many websites set the X-XSS-Protection header (and to which value) given the fact there are some known issues around it, as explained here. Thus I’ve scripted a quick and dirty bash script to analyze the Alexa top 1000 domains landing pages and here is the result.

How many websites set the header?

The 23% of the Alexa top 1000 domains set the X-XSS-Protection header in their landing pages. This sounds a pretty respectable number: there’s still much room for improvement, but 1 out of 4 websites use it.


What value is it set to?

As expected, the vast majority is setting it to X-XSS-Protection: 1; mode=block, but there are a couple of big names - Facebook and Slack - explicitely disabling it, probably to overcome the issues explained here. Few websites - including YouTube, Netflix and Etsy - add the report attribute as well (see MDN for more information).


The raw data

If you’re interested in the raw data, please download this file.

Upcoming conferences

I will join the following conferences. Reach me out on Twitter if you wanna meet:
Incontro DevOps 2020 Virtual 22 October 2020