internet-explorerhttp-headersxss

how to set Http header X-XSS-Protection


I have tried to put this:

   <meta http-equiv="X-XSS-Protection" content="0">

in the <head> tag but have had no luck. I am trying to get rid of pesky IE preventing cross-site scirpting


Solution

  • I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

    In PHP, you'd do it like

    header("X-XSS-Protection: 0");
    

    In ASP.net:

    Response.AppendHeader("X-XSS-Protection","0")
    

    In Apache's config:

    Header set  X-XSS-Protection  0
    

    In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.