X-XSS-Protection: header should be disabled by default #49
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
🌱 Feature Request
Is your feature request related to a problem? Please describe.
The X-XSS-Protection header seems to be falling out of favor across similar projects, since it causes more problems than it solves.
Describe the solution you'd like
The default value for X-XSS-Protection should be changed from
1to0. That ensures legacy browsers disable their buggy XSS Protection filters.Describe alternatives you've considered
An alternative would be to update the README, suggesting projects configure
xssProtection: falsemanually. And potentially updating this chart.Documentation, Adoption, Migration Strategy
Helmet included this change as part of a major version bump. That's probably the safest way to go?
It's easy enough to work around in the meantime. I'm mainly opening up an issue since there weren't any similar discussions here yet, and I was curious if
xssProtection: falseis generally recommended now.Additional context
helmetjs/helmet#230
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header
The text was updated successfully, but these errors were encountered: