Move X-XSS-Protection report directive wiki page here

EvanHahn · EvanHahn · commit 5f7ca817bdfc · 2025-01-10T09:40:16.000-05:00
Old page: <https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection>
diff --git a/content/faq/_index.md b/content/faq/_index.md
@@ -12,4 +12,5 @@ title: "Frequently asked questions (FAQ)"
 - [How do I set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` headers?](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560)
 - [How should I use Helmet with non-document responses?]({{< ref "faq/non-documents" >}})
 - [How do I disable blocking with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-disable-blocking" >}})
+- [How do I enable the `report` directive with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-report-directive" >}})
 - [Who made Helmet?]({{< ref "faq/contributors" >}})
diff --git a/content/faq/x-xss-protection-report-directive.md b/content/faq/x-xss-protection-report-directive.md
@@ -0,0 +1,15 @@
+---
+title: How do I enable the "report" directive with the X-XSS-Protection header?
+---
+
+Previous versions of Helmet (and the `x-xss-protection` package) allowed you to add the `report` directive. This functionality was removed because enabling this header is no longer recommended.
+
+If you still need to set a `report` directive for some reason, you can write your own small middleware:
+
+```js
+// NOTE: This is discouraged.
+app.use((req, res, next) => {
+  res.setHeader("X-XSS-Protection", "1; mode=block; report=/report-path");
+  next();
+});
+```
