archive/rsnext
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[Docs] remove x-xss-protection-header (#53362)

Browse source 
The x-xss-protection header is a non-standardized http header with low browser-capability.
If it is likely to be supported in the future, it can be treated as experimental, but since it is not, it is preferable to remove it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
https://caniuse.com/mdn-http_headers_x-xss-protection
This commit is contained in:
JJ 2023-07-31 05:12:41 +09:00 committed by GitHub
parent 4a926efb83
commit d3b0c7bb42
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/02-app/02-api-reference/05-next-config-js/headers.mdx
View file

@ -437,17 +437,6 @@ If you're deploying to [Vercel](https://vercel.com/docs/concepts/edge-network/he
}
```
### X-XSS-Protection
This header stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although this protection is not necessary when sites implement a strong [`Content-Security-Policy`](#content-security-policy) disabling the use of inline JavaScript (`'unsafe-inline'`), it can still provide protection for older web browsers that don't support CSP.
```js
{
key: 'X-XSS-Protection',
value: '1; mode=block'
}
```
### X-Frame-Options
This header indicates whether the site should be allowed to be displayed within an `iframe`. This can prevent against clickjacking attacks. This header has been superseded by CSP's `frame-ancestors` option, which has better support in modern browsers.