Remove X-XSS-Protection Response Header #378
Conversation
|
Yeah that works. I kept on the back burner to see if we should replace it with a small note. Didn't have proper time to think about it. What do you think? |
|
This header is recommended in a few places, so if we're removing it here we need to remove it everywhere:
Given that we've going against many other people's recommendations here, I think we do still need to include it somewhere in the CS to make it clear that it's an intentional choice not to recommend it, rather than just an omission. The obvious place would be in the CSP section, something along the lines of:
And also provide some (reputable) sources where people can go and read more information about it. |
|
I agree we need to change this recommendation so it's /consistent in all
cheatasheets/. Remember, using this header is actually HARMFUL to
security even in older browsers. So I am all for including the
recommendation to disable this header - consistently - in all
cheatsheets that reference it.
There are plenty of references we can use from earlier in this thread
where we see the use of the header being harmful, as well as most major
browsers removing it.
- Jim
On 3/30/20 4:30 PM, rbsec wrote:
This header is recommended in a few places, so if we're removing it
here we need to remove it everywhere:
* DotNet Security
* NodeJS Security
* Ruby on Rails
Given that we've going against many other people's recommendations
here, I think we do still need to include it somewhere in the CS to
make it clear that it's an intentional choice not to recommend it,
rather than just an omission. The obvious place would be in the CSP
section, something along the lines of:
Note that the |X-XSS-Protection| header has been deprecated by
modern browsers and it's use can introduce additional security
issues. As such, it is no longer recommended.
And also provide some (reputable) sources where people can go and read
more information about it.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#378 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEBYCJA76RUITBGUTNXOQLRKD6M5ANCNFSM4LW2GXMQ>.
--
Jim Manico
Manicode Security
https://www.manicode.com
|
|
What about adding new h1 |
|
As long as that advice is to absolutely NOT use this header and to disable it, I’m cool with that.
…--
Jim Manico
@manicode
On Mar 31, 2020, at 2:26 AM, mackowski ***@***.***> wrote:
What about adding new h1 X-XSS-Protection header with content that @rbsec proposed - that way it will be easy to link to it from other places and will be easy to spot.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
I made an update on the 3 mentioned CSs, and on the official one for XSS. Let me know what you think |
|
Love it!
…--
Jim Manico
@manicode
On Apr 9, 2020, at 1:41 PM, rbsec ***@***.***> wrote:
@rbsec commented on this pull request.
In cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md:
> @@ -395,7 +389,19 @@ If you **really** have to use them remember that now all the data must be [sanit
Avoid template injection in Angular by building with `--prod` parameter (`ng build --prod`).
-Also remember to keep your framework updated to the latest version with all possible bug fixes.
+Also remember to keep your framework updated to the latest version with all possible bug fixes.
+
+## X-XSS-Protection Header
+
+`X-XSS-Protection` header has been deprecated by modern browsers and its use can introduce additional security issues. As such, it is no longer recommended and should be disabled.
+
+For references:
+
+- [Chrome removed the XSS Auditor](https://www.chromestatus.com/feature/5021976655560704)
Also https://portswigger.net/daily-swig/google-chromes-xss-auditor-goes-back-to-filter-mode might be a good one
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
@ThunderSon last update looks good. @rbsec can you review it? |
This PR covers issue #376