Free Tool

Free X-XSS-Protection Header Checker

Check a site's X-XSS-Protection header and, more importantly, whether it has the Content Security Policy that actually stops cross site scripting today.

Free and instant. No account or signup needed.

Why X-XSS-Protection no longer matters

X-XSS-Protection was an early browser header that turned on a built in filter meant to catch reflected cross site scripting attacks. The idea was reasonable for its time, but the filter was crude. It produced false positives, broke legitimate pages, and in some cases attackers learned to abuse the filter itself to leak information or disable parts of a page. For those reasons the major browsers removed the underlying feature, and the header is now deprecated. Setting it does almost nothing in Chrome, Edge, or Safari today.

Content Security Policy is the modern defense

The protection that actually stops cross site scripting now is a Content Security Policy. A CSP lets you declare exactly which sources a page may load scripts from, so even if an attacker injects a script tag, the browser refuses to run it because it is not on your allowlist. A well written policy that avoids unsafe-inline and uses nonces or hashes for the scripts you do trust closes off the most common injection paths. That is the layer worth investing in, and it is what this checker looks for alongside the legacy header.

What to do about it

The guidance is simple. Either set X-XSS-Protection to 0 to explicitly disable the old filter, or remove the header entirely, since current browsers ignore it either way. Then put your effort into deploying a strong Content Security Policy. When you are ready to write one, the free CSP generator produces a policy you can copy straight into your server or app, and you can confirm an existing policy is sound with the CSP validator.

Frequently asked questions

What is an X-XSS-Protection checker?

An X-XSS-Protection checker reads the X-XSS-Protection header a website returns and reports its value. More usefully, it also checks whether the site has a Content Security Policy, because a strong CSP is the protection that actually stops cross site scripting in modern browsers. SiteSecurityScore checks both live by scanning the URL you enter.

Is X-XSS-Protection still useful?

No. X-XSS-Protection is deprecated and modern browsers ignore it. The header drove a built in XSS filter that has since been removed from Chrome, Edge, and Safari because the filter itself could be abused. Today the effective defense is a Content Security Policy.

Should I set X-XSS-Protection to 0 or remove it?

Either is fine. Setting it to 0 explicitly disables any legacy filtering and is the value most security guides recommend. Omitting the header entirely has the same practical result in current browsers. What matters is that you do not rely on it for protection.

What replaces X-XSS-Protection?

A Content Security Policy replaces it. A good CSP controls which scripts a page is allowed to run, which neutralizes injected scripts at the source. Our free CSP generator builds a policy you can deploy, and the CSP validator checks an existing one for gaps.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the X-XSS-Protection header and CSP, and reports what it found in seconds. No account or signup is required.

Related tools

Security Headers CheckerCSP GeneratorCSP Validator

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan