jagaapple / next-secure-headers

Sets secure response headers for Next.js.
MIT License
317 stars 13 forks source link

X-XSS-Protection: header should be disabled by default #49

Open markdascher opened 3 years ago

markdascher commented 3 years ago

🌱 Feature Request

Is your feature request related to a problem? Please describe.

The X-XSS-Protection header seems to be falling out of favor across similar projects, since it causes more problems than it solves.

Describe the solution you'd like

The default value for X-XSS-Protection should be changed from 1 to 0. That ensures legacy browsers disable their buggy XSS Protection filters.

Describe alternatives you've considered

An alternative would be to update the README, suggesting projects configure xssProtection: false manually. And potentially updating this chart.

Documentation, Adoption, Migration Strategy

Helmet included this change as part of a major version bump. That's probably the safest way to go?

It's easy enough to work around in the meantime. I'm mainly opening up an issue since there weren't any similar discussions here yet, and I was curious if xssProtection: false is generally recommended now.

Additional context

https://github.com/helmetjs/helmet/issues/230 https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header