X-XSS-Protection
Enabled Stop pages from loading when they detect reflected cross-site scripting (XSS).
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      xXSSProtection: <OPTIONS>,
    },
  },
  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          xXSSProtection: <OPTIONS>,
        },
      },
    }
  }
})
You can also disable this header by xXSSProtection: false.
Default value
By default, Nuxt Security will set the following value for this header.
X-XSS-Protection: 0
Available values
The xXSSProtection header can be configured with following values.
xXSSProtection: string | false;
0
Disables XSS filtering.
1
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1; mode=block
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-URI> (Chromium only)
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.
Vulnerabilities caused by XSS filteringhere.