Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

X-XSS-Protection: header should be disabled by default

See original GitHub issue

Following a decision by Google Chrome developers to disable Auditor, developers should be able to disable the auditor for older browsers and set it to 0. The X-XSS-PROTECTION header was found to have a multitude of issues, instead of helping the developers protect their application. The following discussion describes the issue at hand with more references: https://github.com/OWASP/CheatSheetSeries/issues/376 A PR is currently open to tackle the issue at the CheatSheet Series project: https://github.com/OWASP/CheatSheetSeries/pull/378

If approved, we can help with creating a PR for this issue. Available for further discussions 😄

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:17 (9 by maintainers)

Top GitHub Comments

10reactions

EvanHahncommented, Aug 2, 2020

Helmet v4 (and x-xss-protection@2) was just released, which disables this header.

Thanks for reporting and for discussing this with me.

1reaction

EvanHahncommented, May 25, 2020

To anyone reading this issue who wants to disable the header: you don’t need this module. Here’s a very short piece of custom middleware that does the trick:

app.use(function (req, res, next) {
  res.setHeader('X-XSS-Protection', '0');
  next();
});

As I said before, I think users should be able to set the header’s value to whatever suits them. If that’s 0, great—if that’s 1; mode=block, that’s okay too.

But what should the default value be?

Setting the default to 1; mode=block protects everyone from trivial XSS but puts everyone at risk of side-channel attacks.
Setting the default to 0 protects everyone from side-channel attacks, but puts some people at risk for trivial XSS.

No matter what we choose, the default will put some people at risk.

I’m coming around to the idea that the default should be 0 but there should also be a strong default Content Security Policy set by Helmet. And again: users should be able to change the default to whatever suits them.

The Secure Headers module is also dealing with this issue and I want to discuss with them a bit, but that’s my tentative plan.

Top Results From Across the Web

Is it better to disable X-XSS-Protection header or set the ...

It is preferred to explicitly set the X-XSS-Protection header to 0 because of the simple fact that having it explicitly disabled prevents ...

X-XSS-Protection - HTTP - MDN Web Docs

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect ...

X-XSS-Protection header disabled - Beagle Security

It is found that the X XSS Protection header is disabled in the application. This application is at risk due to its vulnerability...

X-XSS-Protection - Preventing Cross-Site Scripting Attacks

Implementing HTTP security headers is an important way to keep your site and your visitors safe from attacks and hackers.

XSS protection: Disabled Header - Sensei Hub

One of the security headers that Spring Security provides by default is the X-XSS-Protection header. It will prevent browsers from rendering when an...