From ab8e5383fb6021afd690060c7b718dc505e7d30c Mon Sep 17 00:00:00 2001
From: Markus Heiser <markus.heiser@darmarit.de>
Date: Wed, 31 Jan 2024 08:52:07 +0100
Subject: [PATCH] [mod] remove X-XSS-Protection headers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Deprecated header not used by browsers nowadays[1]:

"""In modern browsers, X-XSS-Protection has been deprecated in favor of the
Content-Security-Policy to disable the use of inline JavaScript. Its use can
introduce XSS vulnerabilities in otherwise safe websites. This should not be
used unless you need to support older web browsers that don’t yet support CSP.
It is thus recommended to set the header as X-XSS-Protection: 0."""[2]

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[2] https://infosec.mozilla.org/guidelines/web_security#x-xss-protection

Closes: https://github.com/searxng/searxng/issues/3171
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
---
 docs/admin/settings/settings_server.rst | 1 -
 searx/settings.yml                      | 1 -
 tests/unit/settings/user_settings.yml   | 1 -
 3 files changed, 3 deletions(-)

diff --git a/docs/admin/settings/settings_server.rst b/docs/admin/settings/settings_server.rst
index b1b3a14f7..daba6d1dd 100644
--- a/docs/admin/settings/settings_server.rst
+++ b/docs/admin/settings/settings_server.rst
@@ -16,7 +16,6 @@
        image_proxy: false
        default_http_headers:
          X-Content-Type-Options : nosniff
-         X-XSS-Protection : 1; mode=block
          X-Download-Options : noopen
          X-Robots-Tag : noindex, nofollow
          Referrer-Policy : no-referrer
diff --git a/searx/settings.yml b/searx/settings.yml
index ebd6d5463..8dbd6bc71 100644
--- a/searx/settings.yml
+++ b/searx/settings.yml
@@ -88,7 +88,6 @@ server:
   method: "POST"
   default_http_headers:
     X-Content-Type-Options: nosniff
-    X-XSS-Protection: 1; mode=block
     X-Download-Options: noopen
     X-Robots-Tag: noindex, nofollow
     Referrer-Policy: no-referrer
diff --git a/tests/unit/settings/user_settings.yml b/tests/unit/settings/user_settings.yml
index fba8e6133..c4c4d74ef 100644
--- a/tests/unit/settings/user_settings.yml
+++ b/tests/unit/settings/user_settings.yml
@@ -19,7 +19,6 @@ server:
   method: "POST"
   default_http_headers:
     X-Content-Type-Options: nosniff
-    X-XSS-Protection: 1; mode=block
     X-Download-Options: noopen
     X-Robots-Tag: noindex, nofollow
     Referrer-Policy: no-referrer