Deprecation of the “X-XSS-Protection” header

Hello Zimbra Customers, Partners & Friends,

In the past Zimbra recommended to set the X-XSS-Protection HTTP response header. This header used to enable additional protection against cross-site scripting (XSS) attacks in some web browsers. However this header is now deprecated and support is removed from most browsers. In case you have configured Zimbra to use the X-XSS-Protection header or if you are unsure if your Zimbra uses it, you can follow below steps to verify and disable the header. As continued use of the header may introduce new security vulnerabilities.

Verify and configure response headers

To find out the current response headers that Zimbra is configured to use, issue the following commands:

sudo su zimbra -
zmprov gcf zimbraResponseHeader

Example output:


zimbraResponseHeader: Strict-Transport-Security: max-age=31536000; includeSubDomains
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: X-Content-Type-Options: nosniff
zimbraResponseHeader: X-Robots-Tag: noindex

Here you can see that the `X-XSS-Protection` header is actually in use. To remove the header issue the following commands:


zmprov mcf -zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
zmcontrol restart

Please note that you may not see the change until the browser cache is flushed.

Hardening Zimbra security

In case you are interested in further hardening your Zimbra security take a look at the following wiki pages:

Further reading about the X-XSS-Protection header deprecation

In case you are interested to learn more about the deprecation of the X-XSS-Protection header, check below links:

, , ,

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures