[Bug 66622] New: Enabling httpHeaderSecurity includes X-XSS-Protection the protection header which goes against Mozilla recommendations

bugzilla Wed, 31 May 2023 06:34:33 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=66622


            Bug ID: 66622
           Summary: Enabling httpHeaderSecurity includes X-XSS-Protection
                    the protection header which goes against Mozilla
                    recommendations
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: schulze-hew...@infoseccorp.com
  Target Milestone: ----

In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Mozilla states that no web facing server should send the X-XSS-Protection
header, but when enabling the httpHeaderSecurity filter X-XSS-Protection is one
of the headers added. It would be better to exclude it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66622] New: Enabling httpHeaderSecurity includes X-XSS-Protection the protection header which goes against Mozilla recommendations

Reply via email to