how to set Http header X-XSS-Protection

internet-explorer http-headers xss
Aly picture Aly · Jan 8, 2011 · Viewed 87.7k times · Source

I have tried to put this:

   <meta http-equiv="X-XSS-Protection" content="0">

in the <head> tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting

Answer

cHao picture cHao · Jan 8, 2011

I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

In PHP, you'd do it like

header("X-XSS-Protection: 0");

In ASP.net:

Response.AppendHeader("X-XSS-Protection","0")

In Apache's config:

Header set  X-XSS-Protection  0

In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.

Related questions

Make IE cache the resources but always revalidate

The cache control header "no-cache, must-revalidate, private" allows browsers to cache the resource but forces a revalidate with conditional requests. This works as expected in FF, Safari, and Chrome. However, IE7+8 does not send a conditional request, that is, "If-Modified-Since" …

Read More
IE 11 sends different User-Agent header to different subdomains

Well, I've been working on an User-Agent based shared-session protection between subdomains. I was extremely surprised that it's been working well until IE 11 preview was released recently. There are 2 subdomains example.com and sub.example.com I've intercepted requests to …

Read More
Hide scroll bar, but while still being able to scroll

I want to be able to scroll through the whole page, but without the scrollbar being shown. In Google Chrome it's: ::-webkit-scrollbar { display: none; } But Mozilla Firefox and Internet Explorer don't seem to work like that. I also tried this …

Read More