ngx_security_headers
ngx_security_headers copied to clipboard
X-XSS-Protection: 0 is recommended by Mozilla and Google
Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites. X-XSS-Protection: 0
is preferred.
I'm not sure what would be the best to do here:
Setting the X-XSS-Protection header to either 0 or 1; mode=block prevents vulnerabilities like the one described above
... while bringing back XSS vulnerability from having disabled XSS filtering. Then for best security, it would be sending 1; mode=block
as they suggest.
These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').
Perhaps a better option would be sending X-XSS-Protection: 0
only if Content-Security-Policy
is set in the response? (always sending either 0
or 1; mode=block
doesn't seem like a great default).
Dead weight issue - closing.