X XSS Protection

The following is a quick lesson to recap browser-specific Cross-site Scripting protection. While not in active use anymore, this security header is simply a server response and it is still effective to employ.

The HTTP header X-XSS-Protection is used by IE8 and IE9 and allows the Cross-Site-Scripting (XSS) filter capability that is built into the browser to be toggled on or off.

Turning XSS filtering on for any IE8 and IE9 browsers rendering your web application requires the following HTTP header to be sent:

X-XSS-Protection: 1; mode=block

With Helmet, this protection can be turned on using the following snippet:

const helmet = require("helmet");

app.use(helmet.xssFilter());

Get hands-on with 1400+ tech skills courses.