fix: Header x-xss-protection should be disabled

jumpingrivers · May 18, 2023 · 3176ead · 3176ead
1 parent 4cb9433
commit 3176ead
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -1,7 +1,7 @@
 Type: Package
 Package: serverHeaders
 Title: Posit Connect Health Check
-Version: 0.0.3
+Version: 0.0.4
 Authors@R:
     person("Jumping", "Rivers", , "[email protected]", role = c("aut", "cre"))
 Description: Posit Connect Health Check. Deploys various content types to

diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,6 @@
+# serverHeaders 0.0.4 _2023-05-18_
+- fix: x-xss-protection should be disabled (https://github.com/OWASP/CheatSheetSeries/issues/376)
+
 # serverHeaders 0.0.3 _2023-05-10_
 - feat: Return all status codes - not just the final code
 - tests: Add additional tests using different servers

diff --git a/R/server_header_summaries.R b/R/server_header_summaries.R
@@ -166,17 +166,18 @@ header_summary.scheme = function(value, ...) { #nolint
                 value = as.character(value))
 }
 
+# https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
 #' @rdname header_summary
 #' @export
 `header_summary.x-xss-protection` = function(value, ...) { #nolint
   security_header = class(value)
   value = as.character(value)
-  if (value == "nosniff") {
+  if (value == "0") {
     status = "OK"
-    message = "Acceptable setting found"
+    message = "Acceptable setting found: x-xss-proection disabled"
   } else {
     status = "WARN"
-    message = "Required value ('nosniff') not present"
+    message = "Recommendation: header should be set 0"
   }
   dplyr::tibble(security_header = security_header,
                 status = status,