Conversation

I'm not sure who needs to hear this but... X-XSS-Protection security header is dead. It's only for backwards compatibility, but recently (2019) vulnerabilities have been discovered and it's been used successfully to attack apps. Use Content Security Policy (CSP) instead. 🌞

108

377

Replying to

It would be nice if hardenize.com stopped recommending it and also replaced their X-Frame-Options recommendation with using CSP frame-ancestors. Rather than the obsolete X-XSS-Protection, they could check that there's no unsafe-inline/unsafe-eval for script-src.

Replying to

and

It may still make sense to set these for IE11 but I don't think anyone should be *recommending* setting it as if it's a best practice. Also, as you explain here, the main thing that actually needs to be done for legacy browsers is *disabling* the unsafe filtering.

6:19 PM · Jan 8, 2021Twitter Web App

Replying to

and

Either via `0` or `1; mode=block` where 0 also avoids other potential issues. IE11 mostly don't support CSP so that's worth noting. It's deprecated but still supported, unfortunately. Until it's not supported at all, there will be people who think headers should be set for it.

Replying to

and

`require-trusted-types-for 'script'` is also definitely worth recommending.