remove X-XSS-Protection header (#5330)

* remove X-XSS header, resolves #5328 * remove X-XSS header, resolves #5328 Co-authored-by: Manuel Sommer <[email protected]>
DefectDojo · Oct 25, 2021 · 58ee3f3 · 58ee3f3
1 parent 0ded839
commit 58ee3f3
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 8 deletions.
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -30,7 +30,6 @@
     DD_SESSION_EXPIRE_AT_BROWSER_CLOSE=(bool, False),
     DD_SESSION_COOKIE_AGE=(int, 1209600),  # 14 days
     DD_CSRF_COOKIE_SECURE=(bool, False),
-    DD_SECURE_BROWSER_XSS_FILTER=(bool, True),
     DD_SECURE_CONTENT_TYPE_NOSNIFF=(bool, True),
     DD_TIME_ZONE=(str, 'UTC'),
     DD_LANG=(str, 'en-us'),
@@ -544,10 +543,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 # (except for those URLs matching a regular expression listed in SECURE_REDIRECT_EXEMPT).
 SECURE_SSL_REDIRECT = env('DD_SECURE_SSL_REDIRECT')
 
-# If True, the SecurityMiddleware sets the X-XSS-Protection: 1;
-# mode=block header on all responses that do not already have it.
-SECURE_BROWSER_XSS_FILTER = env('DD_SECURE_BROWSER_XSS_FILTER')
-
 # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
 SECURE_CONTENT_TYPE_NOSNIFF = env('DD_SECURE_CONTENT_TYPE_NOSNIFF')
 

diff --git a/dojo/settings/template-env b/dojo/settings/template-env
@@ -43,9 +43,6 @@ DD_WHITENOISE=True
 # Whether to use a secure cookie for the CSRF cookie.
 # DD_CSRF_COOKIE_SECURE=False
 
-# If True, the SecurityMiddleware sets the X-XSS-Protection: 1;
-# DD_SECURE_BROWSER_XSS_FILTER=True
-
 # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff;
 # DD_SECURE_CONTENT_TYPE_NOSNIFF=True