From 91519c98a8dd0e3e541c40080fa8823f65981885 Mon Sep 17 00:00:00 2001
From: Jose Quintana <joseluisquintana20@gmail.com>
Date: Sat, 3 Jun 2023 22:17:51 +0200
Subject: [PATCH] fix: remove obsolete `X-XSS-Protection` header

the `X-XSS-Protection` is a legacy, non-standard and deprecated header
for older web browsers that don't yet support CSP (Content-Security-Policy) header.

but it is deprecated and no longer considered an effective defense mechanism.

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://crashtest-security.com/x-xss-protection-retired/
---
 src/security_headers.rs | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/security_headers.rs b/src/security_headers.rs
index e02edb5..9020f08 100644
--- a/src/security_headers.rs
+++ b/src/security_headers.rs
@@ -8,7 +8,6 @@
 
 use http::header::{
     CONTENT_SECURITY_POLICY, STRICT_TRANSPORT_SECURITY, X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
-    X_XSS_PROTECTION,
 };
 use hyper::{Body, Response};
 
@@ -27,10 +26,6 @@ pub fn append_headers(resp: &mut Response<Body>) {
     resp.headers_mut()
         .insert(X_FRAME_OPTIONS, "DENY".parse().unwrap());
 
-    // X-XSS-Protection
-    resp.headers_mut()
-        .insert(X_XSS_PROTECTION, "1; mode=block".parse().unwrap());
-
     // X-Content-Type-Options
     resp.headers_mut()
         .insert(X_CONTENT_TYPE_OPTIONS, "nosniff".parse().unwrap());
--
libgit2 1.7.2