Skip to content

Commit

Permalink
Merge pull request #5298 from LiamRiddell/master
Browse files Browse the repository at this point in the history 
Changed X-XSS-Protection to follow OWASP standards due to deprecation.
  • Loading branch information
@cognifloyd
cognifloyd authored Jul 19, 2022
2 parents 3b52fdb + 289957b commit 4dbc4f6
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ Changed

Contributed by @cognifloyd

* Changed the `X-XSS-Protection` HTTP header from `1; mode=block` to `0` in the `conf/nginx/st2.conf` to align with the OWASP security standards. #5298

Contributed by @LiamRiddell

3.7.0 - May 05, 2022
--------------------

Expand Down
2 changes: 1 addition & 1 deletion conf/nginx/st2.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ server {
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY always;
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
add_header X-XSS-Protection "1; mode=block";
add_header X-XSS-Protection "0";

location @apiError {
add_header Content-Type application/json always;
Expand Down

0 comments on commit 4dbc4f6

Please sign in to comment.