Allow disabling of the X-XSS-Protection header

XMLWordPrintable

    • 10

      Problem

      The X-XSS-Protection header introduced in JRASERVER-25145 cannot be disabled.

      Suggested Solution

      Introduce an option to disable the X-XSS-Protection header, similar to the existing com.atlassian.jira.clickjacking.protection.disabled system property which allows disabling the X-Frame-Options and Content-Security-Policy headers.

      Why This Is Important

      As described in the following articles, the X-XSS-Protection header is generally considered to be obsolete and deprecated in modern usage and can have security drawbacks which outweigh its benefits:

      Workaround

      No workaround is currently available.

              Assignee:
              Unassigned
              Reporter:
              Marcus Fong
              Votes:
              2 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: