Cross site scripting

To protect pages from showing XSS (Cross Site Scripting), you should be escaping your HTML output.

However, as an additional protection, you can instruct some browsers to look for a particular kind of XSS, known as Reflected XSS, using the following:

$config['output.xss_reflected'] = 'block';
$config['output.xss_reflected'] = 'filter';

This is enabled by default as 'block', and simply sets the 'X-XSS-Protection' header, along with the 'reflected-xss' Content Security Policy directive.