fix: remove obsolete X-XSS-Protection header

the `X-XSS-Protection` is a legacy, non-standard and deprecated header for older web browsers that don't yet support CSP (Content-Security-Policy) header. but it is deprecated and no longer considered an effective defense mechanism. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - https://crashtest-security.com/x-xss-protection-retired/
2026-01-25 05:06:33 +00:00 · 2023-06-03 22:17:51 +02:00
parent a75147e1b8
commit 91519c98a8
1 changed files with 0 additions and 5 deletions
--- a/src/security_headers.rs
+++ b/src/security_headers.rs
@@ -8,7 +8,6 @@

 use http::header::{
    CONTENT_SECURITY_POLICY, STRICT_TRANSPORT_SECURITY, X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
-    X_XSS_PROTECTION,
 };
 use hyper::{Body, Response};

@@ -27,10 +26,6 @@ pub fn append_headers(resp: &mut Response<Body>) {
    resp.headers_mut()
        .insert(X_FRAME_OPTIONS, "DENY".parse().unwrap());

-    // X-XSS-Protection
-    resp.headers_mut()
-        .insert(X_XSS_PROTECTION, "1; mode=block".parse().unwrap());
-
    // X-Content-Type-Options
    resp.headers_mut()
        .insert(X_CONTENT_TYPE_OPTIONS, "nosniff".parse().unwrap());