chn/nixpkgs
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixpkgs.git synced 2026-01-11 18:32:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

nixos/grafana: don't set X-XSS-Protection anymore

Browse Source 
Part of #438800.

The OWASP recommentation[1] is:

> The X-XSS-Protection header has been deprecated by modern browsers
> and its use can introduce additional security issues on the client
> side. As such, it is recommended to set the header as X-XSS-Protection: 0
> in order to disable the XSS Auditor, and not allow it to take the default
> behavior of the browser handling the response. Please use
> Content-Security-Policy instead.

Hence, we turn this off, diverging from the upstream defaults here. An
upstream issue has been opened[2].

[1] https://owasp.org/www-project-secure-headers/#x-xss-protection
[2] https://github.com/grafana/grafana/issues/110369
This commit is contained in:
Maximilian Bosch
2025-08-31 15:22:16 +02:00
parent 925e8b8962
commit 409107d2f5
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/services/monitoring/grafana.nix
View File

@@ -985,10 +985,13 @@ in
x_xss_protection = mkOption { x_xss_protection = mkOption {
description = '' description = ''
Set to `false` to disable the `X-XSS-Protection` header, Set to `true` to enable the `X-XSS-Protection` header,
which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks. which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks.
__Note:__ this is the default in Grafana, it's turned off here
since it's [recommended to not use this header anymore](https://owasp.org/www-project-secure-headers/#x-xss-protection).
''; '';
default = true; default = false;
type = types.bool; type = types.bool;
}; };