Web Browser XSS Protection Not Enabled

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

No longer widely supported by browsers.

This finding is informational and has minimal security impact as major browsers have deprecated the X-XSS-Protection header since 2020. The header was designed to enable browser-based XSS filtering, but implementation flaws created new vulnerabilities and it has been superseded by Content Security Policy. While its absence or disablement was once concerning, modern security practices rely on CSP and proper input validation rather than browser XSS filters. This alert serves mainly as a legacy detection for outdated security configurations.

Since X-XSS-Protection is deprecated and no longer supported by modern browsers, focus on implementing a robust Content Security Policy (CSP) instead. Use CSP headers to restrict script sources and prevent inline script execution. Ensure proper input validation and output encoding to prevent XSS vulnerabilities at the application level. If compatibility with very old browsers is required, you may set X-XSS-Protection: 1; mode=block, but prioritize CSP as the primary defense.