Skip to content

Disable X-XSS-Protection by default in SecurityHeadersFilter #13993

Description

@mkurz

Play currently sets the X-XSS-Protection response header by default when SecurityHeadersFilter is enabled:

X-XSS-Protection: 1; mode=block

This header is obsolete. MDN marks X-XSS-Protection as deprecated and non-standard, recommends using Content-Security-Policy instead, and warns that XSS filtering can create vulnerabilities in otherwise safe websites:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection

According to MDN browser compatibility data, the last major browser listed as removing support was Safari in version 15.4. Chrome removed it in 78, Edge removed it in 17, Firefox never supported it, and Android WebView is listed as unsupported:

https://github.com/mdn/browser-compat-data/blob/main/http/headers/X-XSS-Protection.json

So Play should stop sending this header by default.

Proposed change:

case class SecurityHeadersConfig(
    frameOptions: Option[String] = Some("DENY"),
    xssProtection: Option[String] = None,
    contentTypeOptions: Option[String] = Some("nosniff"),
    ...
)

Users who still need the header for legacy clients can keep enabling it explicitly:

play.filters.headers.xssProtection = "1; mode=block"

This would align Play’s default security headers with current browser behavior and avoid sending a deprecated header by default.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions