ring-defaults icon indicating copy to clipboard operation
ring-defaults copied to clipboard
verified publisher icon ring-clojure

Disable the X-XSS-Protection header in defaults #35

Open mahsa2 opened this issue 4 years ago • 3 comments

Disable the XSS Auditor in older browsers by default. The X-XSS-Protection header has been deprecated by modern browsers due to security issues it introduces on the client-side.

Resolves: #35

mahsa2 avatar Mar 23 '21 13:03 mahsa2

Thanks for the review. Submitted an update.

mahsa2 avatar Mar 24 '21 11:03 mahsa2

That seems fine. Can you squash your two commits?

weavejester avatar Mar 28 '21 11:03 weavejester

Thanks! Apologies for the delay - GitHub doesn't always notify me about commit changes.

Can you change the commit message to:

Disable the X-XSS-Protection header in defaults

Disable the XSS Auditor in older browsers by default. The
X-XSS-Protection header has been deprecated by modern browsers due to
security issues it introduces on the client.

See: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header

Fixes #35.

That just fixes the wrapping, and I tend to use 'Fixes' rather than 'Resolves' in the logs, so by making it consistent it's easier to search. Adding the URL gives some information on why the change was implemented.

weavejester avatar Apr 23 '21 05:04 weavejester

This PR could probably be closed as the change has been done in another PR.

terop avatar Sep 19 '22 16:09 terop