#30680: Remove security.W007 check
               Reporter:  Adam (Chainz) Johnson  |          Owner:  nobody
                   Type:  Uncategorized          |         Status:  new
              Component:  Core (Other)           |        Version:  2.2
               Severity:  Normal                 |       Keywords:
           Triage Stage:  Unreviewed             |      Has patch:  0
    Needs documentation:  0                      |    Needs tests:  0
Patch needs improvement:  0                      |  Easy pickings:  0
                  UI/UX:  0                      |
 As discused in #30426, it seems that the X-Xss-Protection security header
 is no longer industry best practice, as major browsers are removing their
 XSS auditors and security professionals no longer recommend it:

 * Scott Helme has stopped requiring it on SecurityHeaders.com -
 * Chrome has is removing their XSS Auditor -
 * Edge already removed their XSS auditor
 * This is all because the protection is minimal and the false positives
 tend to be damaging - https://frederik-braun.com/xssauditor-bad.html

 As suggested by Ran on #30426, rather than enforce the setting
 `SECURE_BROWSER_XSS_FILTER`, we should actually be looking at removing the
 check `security.W007` so users have one less thing to think about for a
 modern security posture.

Ticket URL: <https://code.djangoproject.com/ticket/30680>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to