This tutorial demonstrates various methods to check if X-XSS Protection is enabled in HTTP header of your website. X-XSS Protection is a security header that protects websites from cross-site scripting (XSS) attacks or vulnerabilities. XSS actually allows various Internet attackers or threats to infuse client-side scripts to the web pages of any website viewed by other visitors. It can ultimately lead to the compromise of access controls of the website. So, if you would like to know whether your website is safe from these security breaches, then this tutorial is what you need.
There are many free websites available which can help you do that. These websites allow you to easily verify and check if the protection for X-XSS is enabled on your website’s HTTP response header or not. Apart from the X-XSS Protection status, some of these websites even allow you to check the status of other security headers including CSP, HSTS, and HPKP. So, here in this post, I will explain three of such websites.
SecurityHeaders is one of the best free websites to check if X-XSS Protection is enabled in HTTP header on your website. It is very simple to use, as you can open up the website and enter the URL of your website to see whether the X-XSS Protection is enabled or not. Apart from X-XSS Protection status, it also shows other security headers like CSP, X-Frame Options, Referrer Policy, and so on.
Now, let us see how to use this website for checking the X-XSS Protection status.
Step 1: The first thing you need to do is go to the homepage of SecurityHeaders and enter your website URL in the search bar at the top. Once you do that, click on the Scan button to proceed.
Step 2: After that, it will process the website and find out the X-XSS Protection status of the website. If your website doesn’t have it in the HTTP response header, then it will simply show a “Cross” for the X-XSS Protection parameter, as shown below.
Web Server Security Test:
Web Server Security Test is another useful website which can help you find out whether the X-XSS Protection is enabled in HTTP response header of your website or not. This website is also pretty simple to use. In addition to X-XSS Protection, this one also shows other security reports for HTTP Security Headers like the Content Security Policy, X-Frame Options, and more.
To check the X-XSS protection status, simply follow the steps below.
Step 1: After you visit this website, you would need to enter the target website URL in the search bar at the top. Once done, click on the “Play” icon on the right of the search bar.
Step 2: After you do that, it will start analyzing your website URL and then generate the report for X-XSS Protection. You will be able to see the protection status under the “HTTP Security header Analysis” section. If your website doesn’t have the X-XSS Protection, then it will simply display a message saying “The header was not sent by the server”.
Header Security Test:
Header Security Test is another free website which can help you check if X-XSS Protection is enabled in HTTP response header on your website. Similar to other website explained in this post, this one also lets you simply enter a website link and then it will display the XSS protection status automatically. Not only X-XSS Protection, it even shows the status of other security elements of a website like X-Frame Options, CSP, Referrer Policy, and more.
To see the X-XSS Protection status, follow the steps below.
Step 1: When you visit the homepage of Header Security test, there will be an input field at the center of the screen. Now, what you need to do is enter your website link in the field and hit the Test Now button.
Step 2: As soon as you do that, it will start processing your website for security headers and show you the result. In the result, you will see a “Green Tick” if the X-XSS Protection if enabled or a “Red Cross” if it is not.
These are some of the best and free websites which makes it super simple for you to check if X-XSS Protection is enabled on your website’s HTTP response header or not. All these websites are very effective and let you perform security header tests on your website without much effort.
Try these websites and do let me know how they worked for you in the comments below.