Merge branch 'master' into token_ttl

StackStorm · Jul 20, 2022 · 0cabcf3 · 0cabcf3
2 parents 967744f + 5a4260a
commit 0cabcf3
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -19,6 +19,11 @@ Fixed
 
   Contributed by @S-T-A-R-L-O-R-D
 
+
+* Fixed ``st2client/st2client/base.py`` file to use ``https_proxy``(not ``http_proxy``) to check HTTPS_PROXY environment variables.
+
+  Contributed by @wfgydbu
+
 Added
 ~~~~~
 
@@ -70,6 +75,10 @@ Changed
 
   Contributed by @cognifloyd
 
+* Changed the `X-XSS-Protection` HTTP header from `1; mode=block` to `0` in the `conf/nginx/st2.conf` to align with the OWASP security standards. #5298
+
+  Contributed by @LiamRiddell
+
 3.7.0 - May 05, 2022
 --------------------
 

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
@@ -49,7 +49,7 @@ server {
   add_header              X-Content-Type-Options nosniff;
   add_header              X-Frame-Options DENY always;
   add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
-  add_header              X-XSS-Protection "1; mode=block";
+  add_header              X-XSS-Protection "0";
 
   location @apiError {
     add_header Content-Type application/json always;

diff --git a/st2client/st2client/base.py b/st2client/st2client/base.py
@@ -453,6 +453,6 @@ def _print_client_settings(self, args):
         )
         print(
             "HTTPS_PROXY: %s"
-            % (os.environ.get("http_proxy", os.environ.get("HTTPS_PROXY", "")))
+            % (os.environ.get("https_proxy", os.environ.get("HTTPS_PROXY", "")))
         )
         print("")