From 409107d2f5f3abbc5ea5f6414902948776e9954d Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sun, 31 Aug 2025 15:22:16 +0200 Subject: [PATCH] nixos/grafana: don't set X-XSS-Protection anymore Part of #438800. The OWASP recommentation[1] is: > The X-XSS-Protection header has been deprecated by modern browsers > and its use can introduce additional security issues on the client > side. As such, it is recommended to set the header as X-XSS-Protection: 0 > in order to disable the XSS Auditor, and not allow it to take the default > behavior of the browser handling the response. Please use > Content-Security-Policy instead. Hence, we turn this off, diverging from the upstream defaults here. An upstream issue has been opened[2]. [1] https://owasp.org/www-project-secure-headers/#x-xss-protection [2] https://github.com/grafana/grafana/issues/110369 --- nixos/modules/services/monitoring/grafana.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 2d84636d436a..8a849ad4022b 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -985,10 +985,13 @@ in x_xss_protection = mkOption { description = '' - Set to `false` to disable the `X-XSS-Protection` header, + Set to `true` to enable the `X-XSS-Protection` header, which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks. + + __Note:__ this is the default in Grafana, it's turned off here + since it's [recommended to not use this header anymore](https://owasp.org/www-project-secure-headers/#x-xss-protection). ''; - default = true; + default = false; type = types.bool; };