x-xss-protection should default to 0 (not 1; mode=block) #4327
Labels
Comments
|
We'll take this under consideration for the next major version of hapi 👍 |
devinivy
added
security
|
I have made a PR for this, and your review is welcomed on it @davewichers: #4352. |
|
Looks good to me. But I'm not much of a JavaScript expert. You might want to add a comment near the default is '0' explanation to say 'as recommended by OWASP (with link)', or whatever, to provide a bit of rationale in the code. |
Closed
|
Resolved with v21 #4386 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue was raised long ago in #1770 and ignored. I'm raising it again.
If you look at a few modern discussions:
https://security.stackexchange.com/questions/253924/is-it-better-to-disable-x-xss-protection-header-or-set-the-header-as-x-xss-prote
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header
They both recommend disabling this header by default (i.e., setting it to 0). Can I ask you to revisit this decision and make this recommended change this time?
And when this is done, it should set the header to: x-xss-protection: 0 (rather than simply dropping the header entirely).
The text was updated successfully, but these errors were encountered: