Breaking Change
The default for security_headers_xss changed from off to unset:
- Previously: Sent
X-XSS-Protection: 0by default - Now: Actively removes the
X-XSS-Protectionheader from responses
To restore the previous behavior, use:
security_headers_xss off;Why this change?
The X-XSS-Protection header is deprecated. Modern browsers don't support it, and in browsers that do support it, it introduces XSS vulnerabilities.
New unset option
The new unset value actively removes the header from responses, including any set by upstream/proxied servers. This is now the default.
| Value | Behavior |
|---|---|
unset (default) |
Actively removes the header |
omit |
Does nothing; allows upstream headers through |
off |
Sends X-XSS-Protection: 0 |
on |
Sends X-XSS-Protection: 1 |
block |
Sends X-XSS-Protection: 1; mode=block |