hapi icon indicating copy to clipboard operation
hapi copied to clipboard

Published 20 hours ago verified publisher icon hapijs

x-xss-protection should default to 0 (not 1; mode=block)

Open davewichers opened this issue 2 years ago • 3 comments

This issue was raised long ago in #1770 and ignored. I'm raising it again.

If you look at a few modern discussions: https://security.stackexchange.com/questions/253924/is-it-better-to-disable-x-xss-protection-header-or-set-the-header-as-x-xss-prote https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header

They both recommend disabling this header by default (i.e., setting it to 0). Can I ask you to revisit this decision and make this recommended change this time?

And when this is done, it should set the header to: x-xss-protection: 0 (rather than simply dropping the header entirely).

davewichers avatar Jan 03 '22 20:01 davewichers

We'll take this under consideration for the next major version of hapi 👍

devinivy avatar Feb 17 '22 03:02 devinivy

I have made a PR for this, and your review is welcomed on it @davewichers: #4352.

devinivy avatar Apr 29 '22 03:04 devinivy

Looks good to me. But I'm not much of a JavaScript expert. You might want to add a comment near the default is '0' explanation to say 'as recommended by OWASP (with link)', or whatever, to provide a bit of rationale in the code.

davewichers avatar Apr 29 '22 22:04 davewichers

Resolved with v21 https://github.com/hapijs/hapi/issues/4386

devinivy avatar Nov 07 '22 14:11 devinivy