Add "unset" option for X-XSS-Protection header (now default)

The X-XSS-Protection header is deprecated and introduces XSS
vulnerabilities in browsers that support it. The new "unset" option
actively removes this header from responses, including any set by
upstream servers.

Changes:
- Add "unset" value for security_headers_xss directive
- Change default from "off" (sends "0") to "unset" (removes header)
- "unset" bypasses content-type filtering since removal applies to all
- "omit" still allows upstream headers through unchanged

This is a breaking change for users who relied on the default "0" value
being sent. Use explicit "security_headers_xss off;" to restore the
previous behavior.

Author: dvershinin

README.md

@@ -25,7 +25,6 @@ Accept-Ranges: bytes
 Connection: keep-alive
 <b>X-Frame-Options: SAMEORIGIN
 X-Content-Type-Options: nosniff
-X-XSS-Protection: 0
 Referrer-Policy: strict-origin-when-cross-origin
 Cross-Origin-Resource-Policy: same-site
 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</b>
@@ -71,11 +70,12 @@ start NGINX with the module to avoid having your domain preloaded by Chrome.
 Enables or disables applying security headers. The default set includes:
 
 * `X-Frame-Options: SAMEORIGIN`
-* `X-XSS-Protection: 0`
 * `Referrer-Policy: strict-origin-when-cross-origin`
 * `X-Content-Type-Options: nosniff`
 * `Cross-Origin-Resource-Policy: same-site`
 
+The deprecated `X-XSS-Protection` header is actively removed by default.
+
 The values of these headers (or their inclusion) can be controlled with other `security_headers_*` directives below.
 
 ### `hide_server_tokens`
@@ -106,16 +106,17 @@ A special value `omit` disables sending a particular header by the module (usefu
 
 ### `security_headers_xss`
 
-- **syntax**: `security_headers_xss off | on | block | omit`
-- **default**: `off`
+- **syntax**: `security_headers_xss off | on | block | omit | unset`
+- **default**: `unset`
 - **context**: `http`, `server`, `location`
 
-Controls `X-XSS-Protection` header. 
-Special `omit` value will disable sending the header by the module. 
-The `off` value is for disabling XSS protection: `X-XSS-Protection: 0`.
-This is the default because 
-[modern browsers do not support it](https://github.com/GetPageSpeed/ngx_security_headers/issues/19) and where it is 
-supported, it introduces vulnerabilities.
+Controls `X-XSS-Protection` header.
+
+* `unset` (default): Actively removes the header from responses, including any set by upstream servers. This is the recommended setting because the header is deprecated and [introduces XSS vulnerabilities](https://github.com/nicosalm/security-lab-xss-filter) in browsers that support it.
+* `omit`: Does not add or remove the header; allows upstream headers through unchanged.
+* `off`: Sends `X-XSS-Protection: 0` to explicitly disable browser XSS filtering.
+* `on`: Sends `X-XSS-Protection: 1`.
+* `block`: Sends `X-XSS-Protection: 1; mode=block`.
 
 ### `security_headers_frame`
 

src/ngx_http_security_headers_module.c

@@ -13,6 +13,7 @@
 #define NGX_HTTP_XSS_HEADER_OFF        1
 #define NGX_HTTP_XSS_HEADER_ON         2
 #define NGX_HTTP_XSS_HEADER_BLOCK      3
+#define NGX_HTTP_XSS_HEADER_UNSET      4  /* actively remove header */
 
 #define NGX_HTTP_FO_HEADER_SAME        1
 #define NGX_HTTP_FO_HEADER_DENY        2
@@ -93,6 +94,7 @@ static ngx_conf_enum_t  ngx_http_xss_protection[] = {
     { ngx_string("on"),     NGX_HTTP_XSS_HEADER_ON },
     { ngx_string("block"),  NGX_HTTP_XSS_HEADER_BLOCK },
     { ngx_string("omit"),   NGX_HTTP_SECURITY_HEADER_OMIT },
+    { ngx_string("unset"),  NGX_HTTP_XSS_HEADER_UNSET },
     { ngx_null_string, 0 }
 };
 
@@ -333,30 +335,34 @@ ngx_http_security_headers_filter(ngx_http_request_t *r)
         ngx_set_headers_out_by_search(r, &key, &val);
     }
 
-    /* Add X-XSS-Protection */
+    /* Handle X-XSS-Protection (deprecated header) */
     if (r->headers_out.status != NGX_HTTP_NOT_MODIFIED
-        && NGX_HTTP_SECURITY_HEADER_OMIT != slcf->xss
-        && ngx_http_test_content_type(r, &slcf->text_types) != NULL)
+        && NGX_HTTP_SECURITY_HEADER_OMIT != slcf->xss)
     {
+        ngx_str_set(&key, "X-XSS-Protection");
+
+        if (slcf->xss == NGX_HTTP_XSS_HEADER_UNSET) {
+            /* Actively remove the deprecated X-XSS-Protection header */
+            ngx_set_headers_out_by_search(r, &key, &empty_val);
+        } else if (ngx_http_test_content_type(r, &slcf->text_types) != NULL) {
+            switch (slcf->xss) {
+                case NGX_HTTP_XSS_HEADER_ON:
+                    ngx_str_set(&val, "1");
+                    break;
+                case NGX_HTTP_XSS_HEADER_BLOCK:
+                    ngx_str_set(&val, "1; mode=block");
+                    break;
+                case NGX_HTTP_XSS_HEADER_OFF:
+                    ngx_str_set(&val, "0");
+                    break;
+                default:
+                    val.len = 0;
+                    val.data = NULL;
+            }
 
-        switch (slcf->xss) {
-            case NGX_HTTP_XSS_HEADER_ON:
-                ngx_str_set(&val, "1");
-                break;
-            case NGX_HTTP_XSS_HEADER_BLOCK:
-                ngx_str_set(&val, "1; mode=block");
-                break;
-            case NGX_HTTP_XSS_HEADER_OFF:
-                ngx_str_set(&val, "0");
-                break;
-            default:
-                val.len = 0;
-                val.data = NULL;
-        }
-
-        if (val.data) {
-            ngx_str_set(&key, "X-XSS-Protection");
-            ngx_set_headers_out_by_search(r, &key, &val);
+            if (val.data) {
+                ngx_set_headers_out_by_search(r, &key, &val);
+            }
         }
     }
 
@@ -556,7 +562,7 @@ ngx_http_security_headers_merge_loc_conf(ngx_conf_t *cf, void *parent,
     }
 
     ngx_conf_merge_uint_value(conf->xss, prev->xss,
-                              NGX_HTTP_XSS_HEADER_OFF);
+                              NGX_HTTP_XSS_HEADER_UNSET);
     ngx_conf_merge_uint_value(conf->fo, prev->fo,
                               NGX_HTTP_FO_HEADER_SAME);
     ngx_conf_merge_uint_value(conf->rp, prev->rp,

t/headers.t

@@ -20,7 +20,7 @@ hello world
 
 
 
-=== TEST 2: no nosniff for html
+=== TEST 2: basic security headers (default xss is unset)
 --- config
     security_headers on;
     charset utf-8;
@@ -35,7 +35,7 @@ hello world
 content-type: text/plain; charset=utf-8
 x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
-x-xss-protection: 0
+!x-xss-protection
 
 
 
@@ -118,7 +118,7 @@ hello world
 --- response_headers
 x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
-x-xss-protection: 0
+!x-xss-protection
 referrer-policy: unsafe-url
 
 
@@ -143,7 +143,7 @@ hello world
 --- response_headers
 x-content-type-options: nosniff
 x-frame-options: SAMEORIGIN
-x-xss-protection: 0
+!x-xss-protection
 referrer-policy: origin
 
 
@@ -433,4 +433,62 @@ hello world
 --- response_headers
 Cross-Origin-Resource-Policy: same-origin
 Cross-Origin-Opener-Policy: same-origin
-Cross-Origin-Embedder-Policy: require-corp
+Cross-Origin-Embedder-Policy: require-corp
+
+
+
+=== TEST 25: XSS unset removes header from upstream
+--- config
+    location = /hello {
+        add_header X-XSS-Protection "1; mode=block";
+        return 200 "hello world\n";
+    }
+    location = /hello-proxied {
+        security_headers on;
+        security_headers_xss unset;
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:$TEST_NGINX_SERVER_PORT/hello;
+    }
+--- request
+    GET /hello-proxied
+--- response_body
+hello world
+--- response_headers
+!x-xss-protection
+
+
+
+=== TEST 26: XSS omit allows upstream header through
+--- config
+    location = /hello {
+        add_header X-XSS-Protection "1; mode=block";
+        return 200 "hello world\n";
+    }
+    location = /hello-proxied {
+        security_headers on;
+        security_headers_xss omit;
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:$TEST_NGINX_SERVER_PORT/hello;
+    }
+--- request
+    GET /hello-proxied
+--- response_body
+hello world
+--- response_headers
+x-xss-protection: 1; mode=block
+
+
+
+=== TEST 27: XSS off still sends header value 0
+--- config
+    security_headers on;
+    security_headers_xss off;
+    location = /hello {
+        return 200 "hello world\n";
+    }
+--- request
+    GET /hello
+--- response_body
+hello world
+--- response_headers
+x-xss-protection: 0