strapi/docs/security/xss.md

title
X-XSS

Cross-site scripting (XSS) is a type of attack in which a malicious agent manages to inject client-side JavaScript into your website, so that it runs in the trusted environment of your users' browsers.

Enables X-XSS-Protection headers to help prevent cross site scripting (XSS) attacks in older IE browsers (IE8).

Configuration

Configuration:

• Key: xssProtection
• Environment: development
• Location: ./config/environments/development/security.json
• Type: object

Example:

{
  "xssProtection": {
    "enabled": true,
    "mode": "block"
  }
}

Options:

• enabled (boolean): If the header is enabled or not.
• mode (string): Mode to set on the header.

Notes:

• Set to false to disable HTTP Strict Transport Security.