Drop XSS auditor
It's deprecated, removed in some, by all modern browsers and is known to create XSS vulnerabilities in itself. Signed-off-by: r3g_5z <june@terezi.dev>
This commit is contained in:
parent
fb5f846e8c
commit
f90552f62e
|
@ -23,7 +23,7 @@ This sets the `secure` flag on Akkoma’s session cookie. This makes sure, that
|
||||||
|
|
||||||
This will send additional HTTP security headers to the clients, including:
|
This will send additional HTTP security headers to the clients, including:
|
||||||
|
|
||||||
* `X-XSS-Protection: "1; mode=block"`
|
* `X-XSS-Protection: "0"`
|
||||||
* `X-Permitted-Cross-Domain-Policies: "none"`
|
* `X-Permitted-Cross-Domain-Policies: "none"`
|
||||||
* `X-Frame-Options: "DENY"`
|
* `X-Frame-Options: "DENY"`
|
||||||
* `X-Content-Type-Options: "nosniff"`
|
* `X-Content-Type-Options: "nosniff"`
|
||||||
|
|
|
@ -155,7 +155,7 @@ server {
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "0";
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
|
@ -99,7 +99,7 @@ server {
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "0";
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
|
@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
|
||||||
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
|
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
|
||||||
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
|
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
|
||||||
|
|
||||||
match response header append "X-XSS-Protection" value "1; mode=block"
|
match response header append "X-XSS-Protection" value "0"
|
||||||
match response header append "X-Permitted-Cross-Domain-Policies" value "none"
|
match response header append "X-Permitted-Cross-Domain-Policies" value "none"
|
||||||
match response header append "X-Frame-Options" value "DENY"
|
match response header append "X-Frame-Options" value "DENY"
|
||||||
match response header append "X-Content-Type-Options" value "nosniff"
|
match response header append "X-Content-Type-Options" value "nosniff"
|
||||||
|
|
|
@ -42,7 +42,7 @@ def headers do
|
||||||
custom_http_frontend_headers = custom_http_frontend_headers()
|
custom_http_frontend_headers = custom_http_frontend_headers()
|
||||||
|
|
||||||
headers = [
|
headers = [
|
||||||
{"x-xss-protection", "1; mode=block"},
|
{"x-xss-protection", "0"},
|
||||||
{"x-permitted-cross-domain-policies", "none"},
|
{"x-permitted-cross-domain-policies", "none"},
|
||||||
{"x-frame-options", "DENY"},
|
{"x-frame-options", "DENY"},
|
||||||
{"x-content-type-options", "nosniff"},
|
{"x-content-type-options", "nosniff"},
|
||||||
|
|
Loading…
Reference in a new issue