Play currently sets the X-XSS-Protection response header by default when SecurityHeadersFilter is enabled:
X-XSS-Protection: 1; mode=block
This header is obsolete. MDN marks X-XSS-Protection as deprecated and non-standard, recommends using Content-Security-Policy instead, and warns that XSS filtering can create vulnerabilities in otherwise safe websites:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection
According to MDN browser compatibility data, the last major browser listed as removing support was Safari in version 15.4. Chrome removed it in 78, Edge removed it in 17, Firefox never supported it, and Android WebView is listed as unsupported:
https://github.com/mdn/browser-compat-data/blob/main/http/headers/X-XSS-Protection.json
So Play should stop sending this header by default.
Proposed change:
case class SecurityHeadersConfig(
frameOptions: Option[String] = Some("DENY"),
xssProtection: Option[String] = None,
contentTypeOptions: Option[String] = Some("nosniff"),
...
)
Users who still need the header for legacy clients can keep enabling it explicitly:
play.filters.headers.xssProtection = "1; mode=block"
This would align Play’s default security headers with current browser behavior and avoid sending a deprecated header by default.
Play currently sets the
X-XSS-Protectionresponse header by default whenSecurityHeadersFilteris enabled:X-XSS-Protection: 1; mode=blockThis header is obsolete. MDN marks
X-XSS-Protectionas deprecated and non-standard, recommends usingContent-Security-Policyinstead, and warns that XSS filtering can create vulnerabilities in otherwise safe websites:https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection
According to MDN browser compatibility data, the last major browser listed as removing support was Safari in version
15.4. Chrome removed it in78, Edge removed it in17, Firefox never supported it, and Android WebView is listed as unsupported:https://github.com/mdn/browser-compat-data/blob/main/http/headers/X-XSS-Protection.json
So Play should stop sending this header by default.
Proposed change:
Users who still need the header for legacy clients can keep enabling it explicitly:
This would align Play’s default security headers with current browser behavior and avoid sending a deprecated header by default.