From e0fb7fcf0863bc5b15734877e9150fdc88e1b296 Mon Sep 17 00:00:00 2001
From: titanism <101466223+titanism@users.noreply.github.com>
Date: Fri, 7 Apr 2023 12:28:03 -0500
Subject: [PATCH] fix: explicity set X-XSS-Protection to 0 in koa middleware
 per <https://github.com/helmetjs/helmet/issues/230>

---
 config/web.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/web.js b/config/web.js
index b52d32624c..6dba291a62 100644
--- a/config/web.js
+++ b/config/web.js
@@ -187,6 +187,12 @@ module.exports = (redis) => ({
       app.context.client,
       app.context.logger
     );
+    app.use((ctx, next) => {
+      // since we're on an older helmet version due to koa-helmet
+      // <https://github.com/helmetjs/helmet/issues/230>
+      ctx.set('X-XSS-Protection', '0');
+      return next();
+    });
   },
   hookBeforePassport(app) {
     app.use(async (ctx, next) => {