Skip to content

XSS protection should be set to 0 by default per updated OWASP recommendation #9631

New issue
New issue
Closed
Closed
XSS protection should be set to 0 by default per updated OWASP recommendation#9631
Assignees
rwinchKehrlann
Labels
in: webAn issue in web modules (web, webmvc)type: breaks-passivityA change that breaks passivity with the previous releasetype: enhancementA general enhancement
Milestone
6.0.0-RC1
@candrews

Description

@candrews
candrews
opened on Apr 13, 2021

Expected Behavior

By default, Spring Security should send this HTTP header:
X-XSS-Protection: 0

Current Behavior

By default, Spring Security sends this HTTP header:
X-XSS-Protection: 1; mode=block

Context
OWASP has updated its recommendation regarding the X-XSS-Protection HTTP header.

OWASP used to recommend the header be set to 1; mode=block, which is what Spring Security does by default today. See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers-xss-protection

However, they now recommend the header be set to 0

See OWASP/CheatSheetSeries#376

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: breaks-passivityA change that breaks passivity with the previous releasetype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions