<![CDATA[Remove deprecated X-XSS-Protection header from the nginx config]]>Cloudron currently sets X-XSS-Protection: 1; mode=block; (https://git.cloudron.io/platform/box/-/blob/master/src/nginxconfig.ejs#L110)

Mozilla's MDN documentation explicitly warns that "in some cases, X-XSS-Protection can create XSS vulnerabilities in otherwise safe websites" and advises to "avoid using it." Chrome removed the feature, and Firefox never implemented it. Only Internet Explorer fully supported it, and I think we're all glad that IE is not a thing anymore.

If I understand it correctly, the recommended approach is to either remove the X-XSS-Protection header entirely or explicitly set it to X-XSS-Protection: 0 to disable the legacy XSS filter in older browsers that might still honor it, then rely on properly configured CSP headers for actual protection.

Given that Cloudron supports CSP, I think there's no justification for keeping a deprecated header that introduces more risk than protection.

]]>https://forum.cloudron.io/topic/15370/remove-deprecated-x-xss-protection-header-from-the-nginx-configRSS for NodeFri, 10 Apr 2026 16:38:07 GMTFri, 10 Apr 2026 11:22:50 GMT60<![CDATA[Reply to Remove deprecated X-XSS-Protection header from the nginx config on Fri, 10 Apr 2026 14:49:55 GMT]]>I would absolutely advocate for re-adding X-Content-Type-Options: nosniff as long as we don't have a way to set headers directly in the Security Settings of Cloudron Apps (like we can with CSP headers). That header still provides meaningful protection against MIME-sniffing attacks and has widespread browser support.

Afaik, X-Permitted-Cross-Domain-Policies is still used by Acrobat (which is unfortunately far from dead), but I agree it's fair to remove it from the default configuration since it's an edge-case.

]]>https://forum.cloudron.io/post/123161https://forum.cloudron.io/post/123161Fri, 10 Apr 2026 14:49:55 GMT<![CDATA[Reply to Remove deprecated X-XSS-Protection header from the nginx config on Fri, 10 Apr 2026 14:33:00 GMT]]>I think X-Permitted-Cross-Domain-Policies is for the long dead adobe flash which used to use some crossdomain.xml . X-Content-Type-Options: nosniff might be worth putting back. But over time, I have removed many headers like X-Frame-Options (which is in OWASP) because they are causing browser warnings.

]]>https://forum.cloudron.io/post/123160https://forum.cloudron.io/post/123160Fri, 10 Apr 2026 14:33:00 GMT<![CDATA[Reply to Remove deprecated X-XSS-Protection header from the nginx config on Fri, 10 Apr 2026 14:26:15 GMT]]>I just saw that you also removed X-Content-Type-Options as well as X-Permitted-Cross-Domain-Policies.

OWASP 1, 2 still recommends these headers so maybe it was a bit hasty to also remove them?

]]>https://forum.cloudron.io/post/123159https://forum.cloudron.io/post/123159Fri, 10 Apr 2026 14:26:15 GMT<![CDATA[Reply to Remove deprecated X-XSS-Protection header from the nginx config on Fri, 10 Apr 2026 14:14:37 GMT]]>Thank you!

]]>https://forum.cloudron.io/post/123158https://forum.cloudron.io/post/123158Fri, 10 Apr 2026 14:14:37 GMT<![CDATA[Reply to Remove deprecated X-XSS-Protection header from the nginx config on Fri, 10 Apr 2026 14:08:56 GMT]]>Thanks for reporting, I have removed these.

]]>https://forum.cloudron.io/post/123157https://forum.cloudron.io/post/123157Fri, 10 Apr 2026 14:08:56 GMT