Unverified Commit c1292555 authored by Diogo Correia's avatar Diogo Correia
Browse files

nixos/grocy: don't set X-XSS-Protection anymore 

Part of #438800.

The OWASP recommentation[1] is:

> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.

[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
parent 80f6d365

nixos/modules/services/web-apps/grocy.nix

+0 −1
Original line number Diff line number Diff line
@@ -191,7 +191,6 @@ in 
          locations."~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = ''

            add_header Cache-Control "public, max-age=15778463";

            add_header X-Content-Type-Options nosniff;

            add_header X-XSS-Protection "1; mode=block";

            add_header X-Robots-Tag none;

            add_header X-Download-Options noopen;

            add_header X-Permitted-Cross-Domain-Policies none;