Possibly not parsing X-XSS-Protection rule correctly.

[daniejstriata]

I wanted to point out that we have a server with incorrect config for our security headers but when using https://securityheaders.com/ to scan the site the issues are not displayed in the rating. I get an A which gives false sense of achievement as the config was not perfect. You can refer to https://eb1.bar.uk.striata.com for reference.

The sysadmin added the headers twice but also made a typo on X-XSS-Protection. This error can be seen in Chrome's console view.

securityheaders.com did not complain about this error:
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.

Here follows the items it picked up:

Warnings
Content-Security-Policy This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
X-Frame-Options There was a duplicate X-Frame-Options header.
X-XSS-Protection There was a duplicate X-XSS-Protection header.
X-Content-Type-Options There was a duplicate X-Content-Type-Options header.

Regards,
Danie de Jager

[ScottHelme]

XXP will soon be deprecated in Chrome so fixing this doesn't seem worthwhile.