Merge pull request 'Drop XSS auditor' (#292) from r3g_5z/akkoma:drop-xss-auditor into develop
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending

Reviewed-on: #292
This commit is contained in:
floatingghost 2022-11-20 04:00:25 +00:00
commit 6453297e9c
5 changed files with 5 additions and 5 deletions

View file

@ -23,7 +23,7 @@ This sets the `secure` flag on Akkomas session cookie. This makes sure, that
This will send additional HTTP security headers to the clients, including:
* `X-XSS-Protection: "1; mode=block"`
* `X-XSS-Protection: "0"`
* `X-Permitted-Cross-Domain-Policies: "none"`
* `X-Frame-Options: "DENY"`
* `X-Content-Type-Options: "nosniff"`

View file

@ -155,7 +155,7 @@ server {
location / {
add_header X-XSS-Protection "1; mode=block";
add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

View file

@ -99,7 +99,7 @@ server {
location / {
add_header X-XSS-Protection "1; mode=block";
add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

View file

@ -160,7 +160,7 @@ http protocol plerup { # Protocol for upstream akkoma server
match request header append "X-Forwarded-For" value "$REMOTE_ADDR" # This two header and the next one are not strictly required by akkoma but adding them won't hurt
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-XSS-Protection" value "0"
match response header append "X-Permitted-Cross-Domain-Policies" value "none"
match response header append "X-Frame-Options" value "DENY"
match response header append "X-Content-Type-Options" value "nosniff"

View file

@ -42,7 +42,7 @@ def headers do
custom_http_frontend_headers = custom_http_frontend_headers()
headers = [
{"x-xss-protection", "1; mode=block"},
{"x-xss-protection", "0"},
{"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},