fix: remove obsolete X-XSS-Protection header

the `X-XSS-Protection` is a legacy, non-standard and deprecated header for older web browsers that don't yet support CSP (Content-Security-Policy) header. but it is deprecated and no longer considered an effective defense mechanism. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection - https://crashtest-security.com/x-xss-protection-retired/
static-web-server · Jun 3, 2023 · 91519c9 · 91519c9
1 parent a75147e
commit 91519c9
Showing 1 changed file with 0 additions and 5 deletions.
diff --git a/src/security_headers.rs b/src/security_headers.rs
@@ -8,7 +8,6 @@
 
 use http::header::{
     CONTENT_SECURITY_POLICY, STRICT_TRANSPORT_SECURITY, X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
-    X_XSS_PROTECTION,
 };
 use hyper::{Body, Response};
 
@@ -27,10 +26,6 @@ pub fn append_headers(resp: &mut Response<Body>) {
     resp.headers_mut()
         .insert(X_FRAME_OPTIONS, "DENY".parse().unwrap());
 
-    // X-XSS-Protection
-    resp.headers_mut()
-        .insert(X_XSS_PROTECTION, "1; mode=block".parse().unwrap());
-
     // X-Content-Type-Options
     resp.headers_mut()
         .insert(X_CONTENT_TYPE_OPTIONS, "nosniff".parse().unwrap());