nixos/grocy: don't set X-XSS-Protection anymore

Part of #438800. The OWASP recommentation[1] is: > The X-XSS-Protection header has been deprecated by modern browsers > and its use can introduce additional security issues on the client > side. As such, it is recommended to set the header as X-XSS-Protection: 0 > in order to disable the XSS Auditor, and not allow it to take the default > behavior of the browser handling the response. Please use > Content-Security-Policy instead. [1] https://owasp.org/www-project-secure-headers/#x-xss-protection (cherry picked from commit c129255508)
2026-01-11 10:22:54 +08:00 · 2025-09-01 22:36:10 +01:00
parent d8c2bd99a8
commit c85c6554aa
1 changed files with 0 additions and 1 deletions
--- a/nixos/modules/services/web-apps/grocy.nix
+++ b/nixos/modules/services/web-apps/grocy.nix
@@ -191,7 +191,6 @@ in
          locations."~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = ''
            add_header Cache-Control "public, max-age=15778463";
            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;