Is your feature request related to a problem? Please describe.
The X-XSS-Protection header seems to be falling out of favor across similar projects, since it causes more problems than it solves.
Describe the solution you'd like
The default value for X-XSS-Protection should be changed from 1 to 0. That ensures legacy browsers disable their buggy XSS Protection filters.
Describe alternatives you've considered
An alternative would be to update the README, suggesting projects configure xssProtection: false manually. And potentially updating this chart.
Documentation, Adoption, Migration Strategy
Helmet included this change as part of a major version bump. That's probably the safest way to go?
It's easy enough to work around in the meantime. I'm mainly opening up an issue since there weren't any similar discussions here yet, and I was curious if xssProtection: false is generally recommended now.
🌱 Feature Request
Is your feature request related to a problem? Please describe.
The X-XSS-Protection header seems to be falling out of favor across similar projects, since it causes more problems than it solves.
Describe the solution you'd like
The default value for X-XSS-Protection should be changed from
1
to0
. That ensures legacy browsers disable their buggy XSS Protection filters.Describe alternatives you've considered
An alternative would be to update the README, suggesting projects configure
xssProtection: false
manually. And potentially updating this chart.Documentation, Adoption, Migration Strategy
Helmet included this change as part of a major version bump. That's probably the safest way to go?
It's easy enough to work around in the meantime. I'm mainly opening up an issue since there weren't any similar discussions here yet, and I was curious if
xssProtection: false
is generally recommended now.Additional context
https://github.com/helmetjs/helmet/issues/230 https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header