[Bug]: Setup check for `X-XXS-Protection` recommendation is deprecated

[jbouter]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

The Nextcloud administration page shows the following warning:

The "X-XSS-Protection" HTTP header does not contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

However, the X-XSS-Protection header is deprecated. OWASP recommends you remove the header from your webserver

It shows the following warning when the header is used:

Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.

Steps to reproduce

1. Log into a Nextcloud instance as admin
2. Navigate towards the Administration > Overview page
3. Observe the recommendation of Nextcloud to set the X-XSS-Protection header

Expected behavior

Do not show this recommendation, and possibly advice users to unset the HTTP header in order to inform them of its deprecation.

[szaimen]

Hi, which nc version?

[jbouter]

Hi @szaimen! Version is 25.0.4

[kesselb]

Related: https://github.com/nextcloud/server/issues/34748

[aentwist]

I am just getting set up and am already unsetting it in my web server layer. So for me the recommendation to add it back is just obnoxious.

Instead of setting it to 0, it should simply not be set.

This is bending this issue a little bit. Remove the whole thing instead of just the warning. I wouldn't remove the in-your-face part until the underlying problem is fixed.

---

Adding the MDN docs to this ~

These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Warning: Even though this feature can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites.

---

Non-comprehensive list for removal

• [ ] .htaccess
• [ ] docs NGINX example configs
• [ ] JS warning
• [ ] dav-related
• [ ] addSecurityHeaders
• [ ] test-related

And also

• [ ] verify the CSP is "strong enough"

---

See also

• Nothing supports it except Safari
• But actually Safari doesn't either

[magikmw]

Still relevant for v26.0.4

[fa-ve]

Still relevant for: v27.1.3

[psychedelicu]

Still relevant for v28.0.5.1 :)

[CoLuxe]

And still for v29.0.1

Nextcloud still set this header automatically (See: Nextcloud Documentation ) and show the warning if you overwrite it with your webserver. Its deprecated and Nextcloud should not set this header.

[Sabering1]

Still relevant