Remove deprecated X-XSS-Protection header from the nginx config
-
Cloudron currently sets
X-XSS-Protection: 1; mode=block;(https://git.cloudron.io/platform/box/-/blob/master/src/nginxconfig.ejs#L110)Mozilla's MDN documentation explicitly warns that "in some cases, X-XSS-Protection can create XSS vulnerabilities in otherwise safe websites" and advises to "avoid using it." Chrome removed the feature, and Firefox never implemented it. Only Internet Explorer fully supported it, and I think we're all glad that IE is not a thing anymore.
If I understand it correctly, the recommended approach is to either remove the
X-XSS-Protectionheader entirely or explicitly set it toX-XSS-Protection: 0to disable the legacy XSS filter in older browsers that might still honor it, then rely on properly configured CSP headers for actual protection.Given that Cloudron supports CSP, I think there's no justification for keeping a deprecated header that introduces more risk than protection.
-
G girish marked this topic as a question
-
G girish has marked this topic as solved
-
Thank you!
-
I think
X-Permitted-Cross-Domain-Policiesis for the long dead adobe flash which used to use some crossdomain.xml .X-Content-Type-Options: nosniffmight be worth putting back. But over time, I have removed many headers likeX-Frame-Options(which is in OWASP) because they are causing browser warnings. -
I would absolutely advocate for re-adding
X-Content-Type-Options: nosniffas long as we don't have a way to set headers directly in the Security Settings of Cloudron Apps (like we can with CSP headers). That header still provides meaningful protection against MIME-sniffing attacks and has widespread browser support.Afaik,
X-Permitted-Cross-Domain-Policiesis still used by Acrobat (which is unfortunately far from dead), but I agree it's fair to remove it from the default configuration since it's an edge-case.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login