Skip to content

Commit

Permalink
Update default X-XSS-Protection value to 0 (#479)
Browse files Browse the repository at this point in the history 
This PR updates the default value of the `X-XSS-Protection` header to 0.
There's further discussion here about the reasons for this:
#439.

## All PRs:

* [x] Has tests
* [x] Documentation updated

Closes #439
  • Loading branch information
@rzhade3
rzhade3 authored Aug 9, 2024
1 parent b122c2f commit cf56fc9
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 1; mode=block
X-Xss-Protection: 0
```

## API configurations
Expand Down
2 changes: 1 addition & 1 deletion lib/secure_headers/headers/x_xss_protection.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module SecureHeaders
class XXssProtectionConfigError < StandardError; end
class XXssProtection
HEADER_NAME = "X-XSS-Protection".freeze
DEFAULT_VALUE = "1; mode=block"
DEFAULT_VALUE = "0".freeze
VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/

class << self
Expand Down

0 comments on commit cf56fc9

Please sign in to comment.