From 58ee3f3538f983a553b2294ee3984cbfa1ebc9ca Mon Sep 17 00:00:00 2001 From: manuel-sommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 25 Oct 2021 15:53:44 +0200 Subject: [PATCH] remove X-XSS-Protection header (#5330) * remove X-XSS header, resolves #5328 * remove X-XSS header, resolves #5328 Co-authored-by: Manuel Sommer --- dojo/settings/settings.dist.py | 5 ----- dojo/settings/template-env | 3 --- 2 files changed, 8 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 84ae51656e4..fa694ecc1a1 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -30,7 +30,6 @@ DD_SESSION_EXPIRE_AT_BROWSER_CLOSE=(bool, False), DD_SESSION_COOKIE_AGE=(int, 1209600), # 14 days DD_CSRF_COOKIE_SECURE=(bool, False), - DD_SECURE_BROWSER_XSS_FILTER=(bool, True), DD_SECURE_CONTENT_TYPE_NOSNIFF=(bool, True), DD_TIME_ZONE=(str, 'UTC'), DD_LANG=(str, 'en-us'), @@ -544,10 +543,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param # (except for those URLs matching a regular expression listed in SECURE_REDIRECT_EXEMPT). SECURE_SSL_REDIRECT = env('DD_SECURE_SSL_REDIRECT') -# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; -# mode=block header on all responses that do not already have it. -SECURE_BROWSER_XSS_FILTER = env('DD_SECURE_BROWSER_XSS_FILTER') - # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff; SECURE_CONTENT_TYPE_NOSNIFF = env('DD_SECURE_CONTENT_TYPE_NOSNIFF') diff --git a/dojo/settings/template-env b/dojo/settings/template-env index 102ff1c8cef..ca068a10dc9 100644 --- a/dojo/settings/template-env +++ b/dojo/settings/template-env @@ -43,9 +43,6 @@ DD_WHITENOISE=True # Whether to use a secure cookie for the CSRF cookie. # DD_CSRF_COOKIE_SECURE=False -# If True, the SecurityMiddleware sets the X-XSS-Protection: 1; -# DD_SECURE_BROWSER_XSS_FILTER=True - # If True, the SecurityMiddleware sets the X-Content-Type-Options: nosniff; # DD_SECURE_CONTENT_TYPE_NOSNIFF=True