hapi
hapi copied to clipboard
x-xss-protection should default to 0 (not 1; mode=block)
This issue was raised long ago in #1770 and ignored. I'm raising it again.
If you look at a few modern discussions: https://security.stackexchange.com/questions/253924/is-it-better-to-disable-x-xss-protection-header-or-set-the-header-as-x-xss-prote https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header
They both recommend disabling this header by default (i.e., setting it to 0). Can I ask you to revisit this decision and make this recommended change this time?
And when this is done, it should set the header to: x-xss-protection: 0 (rather than simply dropping the header entirely).
We'll take this under consideration for the next major version of hapi 👍
I have made a PR for this, and your review is welcomed on it @davewichers: #4352.
Looks good to me. But I'm not much of a JavaScript expert. You might want to add a comment near the default is '0' explanation to say 'as recommended by OWASP (with link)', or whatever, to provide a bit of rationale in the code.
Resolved with v21 https://github.com/hapijs/hapi/issues/4386