chore: disable x-xss-protection by default (#88)

OWASP's recommendation is to use a Content Security Policy (CSP) that disables the use of inline JavaScript, and to not set this header or explicitly turn it off. See: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
bepsvpt · Oct 13, 2024 · 3229c4a · 3229c4a
1 parent 4be9615
commit 3229c4a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/config/secure-headers.php b/config/secure-headers.php
@@ -73,7 +73,7 @@
      * Available Value: '1', '0', '1; mode=block'
      */
 
-    'x-xss-protection' => '1; mode=block',
+    'x-xss-protection' => '',
 
     /*
      * Referrer-Policy