Unverified Commit 409107d2 authored Aug 31, 2025 by Maximilian Bosch

nixos/grafana: don't set X-XSS-Protection anymore

Part of #438800.

The OWASP recommentation[1] is:

> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.

Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].

[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369

parent 925e8b89

nixos/modules/services/monitoring/grafana.nix

+5 −2

Original line number	Diff line number	Diff line
		@@ -985,10 +985,13 @@ in

		x_xss_protection = mkOption {
		description = ''
		Set to `false` to disable the `X-XSS-Protection` header,
		Set to `true` to enable the `X-XSS-Protection` header,
		which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks.

		__Note:__ this is the default in Grafana, it's turned off here
		since it's [recommended to not use this header anymore](https://owasp.org/www-project-secure-headers/#x-xss-protection).
		'';
		default = true;
		default = false;
		type = types.bool;
		};

Admin message