From ebbf002a731ff536f040c77a8b03e932679b557c Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 10 Dec 2021 04:29:44 -0500 Subject: [PATCH] disable legacy X-XSS-Protection feature --- nginx/snippets/security-headers-base.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/snippets/security-headers-base.conf b/nginx/snippets/security-headers-base.conf index 40104334..a7669ca4 100644 --- a/nginx/snippets/security-headers-base.conf +++ b/nginx/snippets/security-headers-base.conf @@ -10,5 +10,5 @@ add_header Expect-CT "enforce, max-age=63072000" always; # obsolete and replaced with Content-Security-Policy frame-ancestors 'none' add_header X-Frame-Options "DENY" always; -# obsolete and replaced with strong Content-Security-Policy -add_header X-XSS-Protection "1; mode=block" always; +# obsolete, unsafe and replaced with strong Content-Security-Policy +add_header X-XSS-Protection "0" always;