Move X-XSS-Protection: 1 wiki page here

EvanHahn · EvanHahn · commit 75ce52a82a89 · 2025-01-10T09:34:50.000-05:00
Old page on the wiki: <https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection>
diff --git a/content/faq/_index.md b/content/faq/_index.md
@@ -11,4 +11,5 @@ title: "Frequently asked questions (FAQ)"
 - [How do I set a Content Security Policy nonce?]({{< ref "faq/csp-nonce-example" >}})
 - [How do I set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` headers?](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560)
 - [How should I use Helmet with non-document responses?]({{< ref "faq/non-documents" >}})
+- [How do I disable blocking with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-disable-blocking" >}})
 - [Who made Helmet?]({{< ref "faq/contributors" >}})
diff --git a/content/faq/x-xss-protection-disable-blocking.md b/content/faq/x-xss-protection-disable-blocking.md
@@ -0,0 +1,15 @@
+---
+title: How do I disable blocking with the X-XSS-Protection header?
+---
+
+Previous versions of Helmet (and the `x-xss-protection` npm package) allowed you to remove the `mode=block` directive. This functionality was removed because it is not recommended.
+
+If you still need to do that, you can write your own small middleware:
+
+```js
+// NOTE: This is discouraged.
+app.use((req, res, next) => {
+  res.setHeader("X-XSS-Protection", "1");
+  next();
+});
+```
