gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Drop `X-XSS-Protection` header usage as per its deprecation 

Ref https://github.com/h5bp/server-configs-apache/pull/253
Ref https://github.com/h5bp/server-configs-apache/issues/198

Closes https://github.com/h5bp/server-configs-nginx/pull/260
This commit is contained in:
Léo Colombaro 2021-06-14 00:37:25 +02:00
parent 4556277ced
commit 836467c8b5
3 changed files with 0 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
h5bp/basic.conf
View File

@ -4,6 +4,5 @@
include h5bp/security/referrer-policy.conf; include h5bp/security/referrer-policy.conf;
include h5bp/security/x-content-type-options.conf; include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf; include h5bp/security/x-frame-options.conf;
include h5bp/security/x-xss-protection.conf;
include h5bp/location/security_file_access.conf; include h5bp/location/security_file_access.conf;
include h5bp/cross-origin/requests.conf; include h5bp/cross-origin/requests.conf;

38
h5bp/security/x-xss-protection.conf
View File

@ -1,38 +0,0 @@
# ----------------------------------------------------------------------
# | Cross-Site Scripting (XSS) Protection |
# ----------------------------------------------------------------------
# Protect website reflected Cross-Site Scripting (XSS) attacks.
#
# (1) Try to re-enable the cross-site scripting (XSS) filter built into most
# web browsers.
#
# The filter is usually enabled by default, but in some cases, it may be
# disabled by the user. However, in Internet Explorer, for example, it can
# be re-enabled just by sending the `X-XSS-Protection` header with the
# value of `1`.
#
# (2) Prevent web browsers from rendering the web page if a potential reflected
# (a.k.a non-persistent) XSS attack is detected by the filter.
#
# By default, if the filter is enabled and browsers detect a reflected XSS
# attack, they will attempt to block the attack by making the smallest
# possible modifications to the returned web page.
#
# Unfortunately, in some browsers (e.g.: Internet Explorer), this default
# behavior may allow the XSS filter to be exploited. Therefore, it's better
# to inform browsers to prevent the rendering of the page altogether,
# instead of attempting to modify it.
#
# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
#
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are
# taking all possible measures to prevent XSS attacks, the most obvious
# being: validating and sanitizing your website's inputs.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
add_header X-XSS-Protection $x_xss_protection always;

7
nginx.conf
View File

@ -96,13 +96,6 @@ http {
# Specify file cache expiration. # Specify file cache expiration.
include h5bp/web_performance/cache_expiration.conf; include h5bp/web_performance/cache_expiration.conf;
# Add X-XSS-Protection for HTML documents.
# h5bp/security/x-xss-protection.conf
map $sent_http_content_type $x_xss_protection {
# (1) (2)
~*text/html "1; mode=block";
}
# Add X-Frame-Options for HTML documents. # Add X-Frame-Options for HTML documents.
# h5bp/security/x-frame-options.conf # h5bp/security/x-frame-options.conf
map $sent_http_content_type $x_frame_options { map $sent_http_content_type $x_frame_options {