static-web-server.git

author	Jose Quintana <joseluisquintana20@gmail.com>	2023-06-03 20:17:51.0 +00:00:00
committer	Jose Quintana <joseluisquintana20@gmail.com>	2023-06-03 20:17:51.0 +00:00:00
commit	91519c98a8dd0e3e541c40080fa8823f65981885 [patch]
tree	a9400a27c03cb0d86ba49c19f1e16a00bca9ce00
parent	a75147e1b86019bd3b88a5c599b8ff57961f5562
download	91519c98a8dd0e3e541c40080fa8823f65981885.tar.gz

fix: remove obsolete `X-XSS-Protection` header

the `X-XSS-Protection` is a legacy, non-standard and deprecated header
for older web browsers that don't yet support CSP (Content-Security-Policy) header.

but it is deprecated and no longer considered an effective defense mechanism.

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://crashtest-security.com/x-xss-protection-retired/

Diff

 src/security_headers.rs | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/security_headers.rs b/src/security_headers.rs
index e02edb5..9020f08 100644
--- a/src/security_headers.rs
+++ b/src/security_headers.rs
@@ -8,7 +8,6 @@

use http::header::{
    CONTENT_SECURITY_POLICY, STRICT_TRANSPORT_SECURITY, X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
    X_XSS_PROTECTION,
};
use hyper::{Body, Response};

@@ -27,10 +26,6 @@ pub fn append_headers(resp: &mut Response<Body>) {
    resp.headers_mut()
        .insert(X_FRAME_OPTIONS, "DENY".parse().unwrap());

    // X-XSS-Protection
    resp.headers_mut()
        .insert(X_XSS_PROTECTION, "1; mode=block".parse().unwrap());

    // X-Content-Type-Options
    resp.headers_mut()
        .insert(X_CONTENT_TYPE_OPTIONS, "nosniff".parse().unwrap());