Drop XSS auditor

It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.

Signed-off-by: r3g_5z <june@terezi.dev>
This commit is contained in:
r3g_5z 2022-11-19 20:40:20 -05:00
parent fb5f846e8c
commit f90552f62e
No known key found for this signature in database
5 changed files with 5 additions and 5 deletions

View file

@ -23,7 +23,7 @@ This sets the `secure` flag on Akkomas session cookie. This makes sure, that
This will send additional HTTP security headers to the clients, including: This will send additional HTTP security headers to the clients, including:
* `X-XSS-Protection: "1; mode=block"` * `X-XSS-Protection: "0"`
* `X-Permitted-Cross-Domain-Policies: "none"` * `X-Permitted-Cross-Domain-Policies: "none"`
* `X-Frame-Options: "DENY"` * `X-Frame-Options: "DENY"`
* `X-Content-Type-Options: "nosniff"` * `X-Content-Type-Options: "nosniff"`

View file

@ -155,7 +155,7 @@ server {
location / { location / {
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

View file

@ -99,7 +99,7 @@ server {
location / { location / {
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

View file

@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match response header append "X-XSS-Protection" value "1; mode=block" match response header append "X-XSS-Protection" value "0"
match response header append "X-Permitted-Cross-Domain-Policies" value "none" match response header append "X-Permitted-Cross-Domain-Policies" value "none"
match response header append "X-Frame-Options" value "DENY" match response header append "X-Frame-Options" value "DENY"
match response header append "X-Content-Type-Options" value "nosniff" match response header append "X-Content-Type-Options" value "nosniff"

View file

@ -42,7 +42,7 @@ def headers do
custom_http_frontend_headers = custom_http_frontend_headers() custom_http_frontend_headers = custom_http_frontend_headers()
headers = [ headers = [
{"x-xss-protection", "1; mode=block"}, {"x-xss-protection", "0"},
{"x-permitted-cross-domain-policies", "none"}, {"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"}, {"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"}, {"x-content-type-options", "nosniff"},