strapi/docs/security/xss.md

---
title: X-XSS
---

Cross-site scripting (XSS) is a type of attack in which a malicious agent manages to inject client-side JavaScript into your website, so that it runs in the trusted environment of your users' browsers.

Enables `X-XSS-Protection` headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8).

## Configuration

Configuration:

- Key: `xssProtection`
- Environment: `development`
- Location: `./config/environments/development/security.json`
- Type: `object`

Example:

```js
{
  "xssProtection": {
    "enabled": true,
    "mode": "block"
  }
}
```

Options:

- `enabled` (boolean): If the header is enabled or not.
- `mode` (string): Mode to set on the header.

Notes:

- Set to `false` to disable HTTP Strict Transport Security.
Add docs about v2 2016-03-22 18:11:11 +01:00			`---`
			`title: X-XSS`
			`---`

			`Cross-site scripting (XSS) is a type of attack in which a malicious agent manages to inject client-side JavaScript into your website, so that it runs in the trusted environment of your users' browsers.`

			Enables `X-XSS-Protection` headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8).

			`## Configuration`

			`Configuration:`

			- Key: `xssProtection`
			- Environment: `development`
			- Location: `./config/environments/development/security.json`
			- Type: `object`

			`Example:`

			```js
			`{`
			`"xssProtection": {`
			`"enabled": true,`
			`"mode": "block"`
			`}`
			`}`
			```

			`Options:`

			- `enabled` (boolean): If the header is enabled or not.
			- `mode` (string): Mode to set on the header.

			`Notes:`

			- Set to `false` to disable HTTP Strict Transport Security.