X-XSS-Protection was a security header that’s been around since version 4 of Google Chrome. It was designed to enable a tool that checked the content of the website for reflected cross-site scripting. All major browsers have now retired support for the header as it ended up introducing security flaws. It is highly recommended that you don’t set the header at all and instead configure a strong Content Security Policy.
Tip: Cross-Site Scripting is generally shortened to the acronym “XSS”.
X-XSS-Protection was intended to detect and prevent this type of attack. Unfortunately, over time a number of bypasses and even vulnerabilities were found in the way the system worked. These vulnerabilities meant that implementing the X-XSS-Protection header would introduce a cross-site scripting vulnerability in an otherwise secure website.
To protect against this, with the understanding that the Content Security Policy header, generally shortened to “CSP”, includes functionality to replace it, browser developers decided to retire the feature. Most browsers, including Chrome, Opera, and Edge have either removed support or in the case of Firefox, never implemented it. It’s recommended that websites disable the header, to protect those users still using legacy browsers with the feature enabled.