Mark Dain Interesting article, perhaps we ought to be using X-XSS-Protection: 0 instead to avoid browser bugs ?
Login or register your account to reply
Martijn I must have missed something, when do I need X-XSS-Protection? Shouldn't I just be using CSP to define exactly what resources are allowed to load?
5y, 18w 2 replies
Mark Dain Funny you should say that, it's almost exactly what MDN says; developer.mozilla.... that it's a legacy header. What I found interesting was with a strong CSP implementation, disabling the XSS filter/auditor may actually improve security
5y, 18w 1 reply