1. Set CSP Headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline';" always;2. Use ModSecurity XSS Rules
SecRule ARGS "@rx (<script|javascript:|onload=|onclick=)" "id:1001,phase:2,deny,msg:'XSS Detected'"3. Enable X-XSS-Protection (Legacy)
add_header X-XSS-Protection "1; mode=block" always;4. Sanitize User Input
In your application, always escape output: htmlspecialchars($input, ENT_QUOTES, 'UTF-8');