Headers

X-XSS-Protection

Stop pages from loading when they detect reflected cross-site scripting (XSS).

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      xXSSProtection: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          xXSSProtection: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by xXSSProtection: false.

Default value

By default, Nuxt Security will set the following value for this header.

X-XSS-Protection: 0

Available values

The xXSSProtection header can be configured with following values.

xXSSProtection: string | false;

0

Disables XSS filtering.

1

Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).

1; mode=block

Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.

1; report=<reporting-URI> (Chromium only)

Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.

Read more about Vulnerabilities caused by XSS filteringhere.