Why this error in dev console of chrome when using x-xss-protection?

Question

How to fix this error in console?

Error parsing header X-XSS-Protection: 1; mode=block, 1;
mode=block:expected semicolon at character position 14.
The default protections will be applied.

Answer 1

If the error is shown even you send the right header, check if you send the header perhaps twice. This is shown in the error-console below network and you click on any file.

Sending the header twice can happen if for the server

add_header X-XSS-Protection "1; mode=block";

is noted in two different include-files or one include-file is included twice. Browsers or at least chrome is concatenating the two headers then internally and the applied WRONG rule is then, like shown in the question:

X-XSS-Protection: "1; mode=block, 1; mode=block"

Answer 2

I had the same error in Chrome. I was adding the header to multiple sites.

Instead, you should add it to the http block if you are using NGINX:

http {
    add_header X-XSS-Protection "1; mode=block";

    ...
}

Answer 3

I had this error when I’m proxying a Docker service through NGINX. Both the Docker service and NGINX adds the header, so I need to dedupe. I finally came out with this:

map $upstream_http_x_xss_protection $xss_p {
    '' '1; mode=block';
}
add_header X-XSS-Protection $xss_p always;

I call this “poor man’s set_header”. Thanks to great hint from David and kolbyjack.

Answer 4

If you are using Akamai use "modify" instead of "add" behavior in your configuration. Make sure you have selected the "avoid duplicate headers" option, which is only available in "modify" modus.

Answer 5

You are not following the proper syntax of X-XSS-Protection, so you are getting a parsing error.

I think you are looking for this:

X-XSS-Protection: 1; mode=block

So remove the , 1 at the end of yours