[Bug] IIS Configuration example for Unneeded HTTP Header doesn't make pass the hint.

[sarvaje]

🐛 Bug report

Description

The configuration example for IIS only rewrite the value of the header to an empty string, but the header is still there and the Hint is still complaining.

I'm trying to delete the header X-XSS-Protection for elements that are not HTML.

The configuration suggested in the documentation is:

      <outboundRules>
        <rule name="X-XSS-Protection">
          <match serverVariable="RESPONSE_X_XSS_Protection" pattern=".*" />
          <conditions>
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" negate="true" />
          </conditions>
          <action type="Rewrite" value=""/>
        </rule>
      </outboundRules>

Environment

• webhint version: v2.0.1
• Browser version: 81.0.409.0

webhint configuration

webhint’s configuration

Categories: * [x] Accessibility * [x] Compatibility * [x] Performance * [x] Pitfalls * [x] PWA * [x] Security Your target browsers: * [x] Recommended settings * [ ] Custom: Ignored resources: * [x] None * [ ] Different origin * [ ] Custom: Minimum hint severity * [] Error * [x] Warning * [ ] Hint * [ ] Information

Debug output

Please include the content of the Error details section if an error message was displayed.

webhint’s Error details

```text Response should not include unneeded 'x-xss-protection' header. ```

[molant]

Do you know what the action would be to remove? Also I believe there are a few open issues about changing the behavior of this hint.

[sarvaje]

The actions are "Rewrite" and "None". https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-20-configuration-reference#rewrite-action

I have been looking for another way, but I can't find any :(

[molant]

We should probably add empty string as a valid value then.

[sarvaje]

If it is not possible to delete in IIS, I think that is a good solution.