Last week, we looked at so-called Advanced XSS Protection offered by a 1+ million install WordPress plugin, which turned out to not provide protection, advanced or otherwise. That involved, in part, the security header X-XSS-Protection, which it seems worth going in to more detail about, as many security plugins offer implementing it as a feature.

Security headers are instructions sent to web browsers that are supposed to tighten the security of websites. Whether they actually do that is something that various guides them touting don’t even try to address. You should be wary of any security advice that isn’t backed up with evidence, as people often believe and spread beliefs about security that don’t turn out to be true.

One really important issue with security headers in general is that they can be ignored. They will not stop an attacker launching an attack against a website. They can only protect someone else visiting the website. Considering that many attacks against WordPress websites don’t involve anyone other than the attacker, they provide no protection for many attacks.

There are also several significant issues with the X-XSS-Protection header providing protection.

The biggest issue now a days is that web browsers don’t support it. They don’t support it because the feature it modified has been removed from web browsers. The feature was never in Firefox. It was removed from Edge in 2018. It was removed from Chrome in 2019. And it was removed from Safari in 2022.

When the feature was in the web browsers, it was enabled by default. WordPress security plugins that set this header normally set it to be enabled, so they don’t change whether it is enabled or not. So it didn’t make any change to the security situation.

The final significant issue that is worth noting is that this header only had an impact on reflected cross-site scripting (XSS) vulnerabilities. The type of XSS vulnerabilities you see widely exploited are persistent XSS, so the header didn’t protect against the type of XSS that really needed protection against.

For those looking to get more protection for their WordPress website, security headers are not the solution. A well-developed firewall plugin can provide significant protection against both reflected and persistent XSS vulnerabilities, as well as other attacks. More protection can be gotten by making sure that WordPress plugins are properly secured by having them put through a security review, so there are not vulnerabilities that can be exploited in the first place.