Allow disabling of the X-XSS-Protection header

XMLWordPrintable

    • 8

      Problem

      The X-XSS-Protection header introduced in JRASERVER-25145 cannot be disabled.

      Suggested Solution

      Introduce an option to disable the X-XSS-Protection header, similar to the existing com.atlassian.jira.clickjacking.protection.disabled system property which allows disabling the X-Frame-Options and Content-Security-Policy headers.

      Why This Is Important

      As described in the following articles, the X-XSS-Protection header is generally considered to be obsolete and deprecated in modern usage and can have security drawbacks which outweigh its benefits:

      Workaround

      No workaround is currently available.

            Assignee:
            Unassigned
            Reporter:
            Marcus Fong
            Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: