ngx_security_headers icon indicating copy to clipboard operation
ngx_security_headers copied to clipboard

Published 20 hours ago verified publisher icon GetPageSpeed

X-XSS-Protection: 0 is recommended by Mozilla and Google

Open DavidOsipov opened this issue 2 years ago • 1 comments

Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites. X-XSS-Protection: 0 is preferred.

DavidOsipov avatar Apr 23 '22 22:04 DavidOsipov

I'm not sure what would be the best to do here:

Setting the X-XSS-Protection header to either 0 or 1; mode=block prevents vulnerabilities like the one described above

... while bringing back XSS vulnerability from having disabled XSS filtering. Then for best security, it would be sending 1; mode=block as they suggest.

These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Perhaps a better option would be sending X-XSS-Protection: 0 only if Content-Security-Policy is set in the response? (always sending either 0 or 1; mode=block doesn't seem like a great default).

dvershinin avatar Jun 17 '22 17:06 dvershinin

Dead weight issue - closing.

DavidOsipov avatar Sep 05 '23 08:09 DavidOsipov