From 91cb36d7a0a480f11f1fb8872c70def8c4861413 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 10 Dec 2021 04:31:03 -0500 Subject: [PATCH] disable legacy X-XSS-Protection feature --- nginx/snippets/security-headers.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf index 6679cf0..6d56ca6 100644 --- a/nginx/snippets/security-headers.conf +++ b/nginx/snippets/security-headers.conf @@ -7,5 +7,5 @@ add_header Cross-Origin-Embedder-Policy "require-corp" always; # obsolete when client system time is correct add_header Expect-CT "enforce, max-age=63072000" always; -# obsolete and replaced with strong Content-Security-Policy -add_header X-XSS-Protection "1; mode=block" always; +# obsolete, unsafe and replaced with strong Content-Security-Policy +add_header X-XSS-Protection "0" always;