/vulndb/XSS Protection Disabled

A basic XSS protection mechanism is present in every modern browser. This mechanism is active by default but may be disabled by setting the response header “X-XSS-Protection” to the value “0”.

Without the browser’s built-in XSS Protection an attacker is able to perform XSS attacks with simpler payloads.


The web application should never explicitly disable the XSS filter.


https://wiki.mozilla.org/Security/Features/XSS_Filter http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx http://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Common_non-standard_response_headers