Disabled usage of X-XSS-Protection HTTP Header

phax · Jan 25, 2024 · 8a3363f · 8a3363f
1 parent 12dff3a
commit 8a3363f
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPWebAppListener.java b/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPWebAppListener.java
@@ -213,6 +213,11 @@ protected void initGlobalSettings ()
       // Peppol SMP is always http only
       UnifiedResponseDefaultSettings.removeStrictTransportSecurity ();
     }
+    // Instead of the service using the X-XSS-Protection header, a better way to
+    // protect against XSS attacks is final to define a final strong
+    // Content-Security-Policy header final that prevents the final execution of
+    // embedded final JavaScript code.
+    UnifiedResponseDefaultSettings.setEnableXSSFilter (false);
 
     // Avoid writing unnecessary stuff
     setHandleStatisticsOnEnd (SMPWebAppConfiguration.isPersistStatisticsOnEnd ());