Skip to content

Remove X-XSS-Protection header #15344

New issue
New issue
Open
Open
Remove X-XSS-Protection header#15344
@jforce

Description

@jforce
jforce
opened on Jul 30, 2025

We should not set the X-XSS-Protection header. That header is now deprecated and should not be set. We should remove the following line in totality:

console/pkg/server/middleware.go

Lines 133 to 134 in 0a0705c

// Ancient weak protection against reflected XSS (equivalent to CSP no unsafe-inline)
w.Header().Set("X-XSS-Protection", "1; mode=block")

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection

Also see another issue I raised here: openshift/oauth-server#195

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions