nixos/grafana: don't set X-XSS-Protection anymore

Part of #438800. The OWASP recommentation[1] is: > The X-XSS-Protection header has been deprecated by modern browsers > and its use can introduce additional security issues on the client > side. As such, it is recommended to set the header as X-XSS-Protection: 0 > in order to disable the XSS Auditor, and not allow it to take the default > behavior of the browser handling the response. Please use > Content-Security-Policy instead. Hence, we turn this off, diverging from the upstream defaults here. An upstream issue has been opened[2]. [1] https://owasp.org/www-project-secure-headers/#x-xss-protection [2] https://github.com/grafana/grafana/issues/110369
2026-01-11 18:32:23 +08:00 · 2025-08-31 15:22:16 +02:00
parent 925e8b8962
commit 409107d2f5
1 changed files with 5 additions and 2 deletions
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -985,10 +985,13 @@ in

            x_xss_protection = mkOption {
              description = ''
-                Set to `false` to disable the `X-XSS-Protection` header,
+                Set to `true` to enable the `X-XSS-Protection` header,
                which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+
+                __Note:__ this is the default in Grafana, it's turned off here
+                since it's [recommended to not use this header anymore](https://owasp.org/www-project-secure-headers/#x-xss-protection).
              '';
-              default = true;
+              default = false;
              type = types.bool;
            };