From ff92275a1bc7228aa9f1372b17555b73e052ca85 Mon Sep 17 00:00:00 2001
From: Liam Riddell <web@liamriddell.co.uk>
Date: Sat, 3 Jul 2021 14:01:52 +0100
Subject: [PATCH 1/2] Changed X-XSS-Protection to follow standards.

---
 conf/nginx/st2.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 41f8bcf6a3..fc2243068a 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -49,7 +49,7 @@ server {
   add_header              X-Content-Type-Options nosniff;
   add_header              X-Frame-Options DENY always;
   add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
-  add_header              X-XSS-Protection "1; mode=block";
+  add_header              X-XSS-Protection "0";
 
   location @apiError {
     add_header Content-Type application/json always;

From 289957b435da93e956b9bae2e05fd73162313fdb Mon Sep 17 00:00:00 2001
From: Liam Riddell <web@liamriddell.co.uk>
Date: Tue, 19 Jul 2022 17:27:02 +0100
Subject: [PATCH 2/2] Added changelog entry.

---
 CHANGELOG.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index bff6fa785f..15928867a0 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -67,6 +67,10 @@ Changed
 
   Contributed by @cognifloyd
 
+* Changed the `X-XSS-Protection` HTTP header from `1; mode=block` to `0` in the `conf/nginx/st2.conf` to align with the OWASP security standards. #5298
+
+  Contributed by @LiamRiddell
+
 3.7.0 - May 05, 2022
 --------------------