https://bz.apache.org/bugzilla/show_bug.cgi?id=66622
Bug ID: 66622 Summary: Enabling httpHeaderSecurity includes X-XSS-Protection the protection header which goes against Mozilla recommendations Product: Tomcat 8 Version: 8.5.x-trunk Hardware: All OS: All Status: NEW Severity: enhancement Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: schulze-hew...@infoseccorp.com Target Milestone: ---- In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Mozilla states that no web facing server should send the X-XSS-Protection header, but when enabling the httpHeaderSecurity filter X-XSS-Protection is one of the headers added. It would be better to exclude it. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org