[Backport release-25.05] nixos/grafana: don't set X-XSS-Protection anymore (#439325)

2026-01-11 10:22:54 +08:00 · 2025-09-02 15:09:29 -04:00
parent 8574caa202 27d2e27300
commit d9cfae021d
1 changed files with 5 additions and 2 deletions
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -985,10 +985,13 @@ in

            x_xss_protection = mkOption {
              description = ''
-                Set to `false` to disable the `X-XSS-Protection` header,
+                Set to `true` to enable the `X-XSS-Protection` header,
                which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+
+                __Note:__ this is the default in Grafana, it's turned off here
+                since it's [recommended to not use this header anymore](https://owasp.org/www-project-secure-headers/#x-xss-protection).
              '';
-              default = true;
+              default = false;
              type = types.bool;
            };