Drop X-XSS-Protection from the security headers panel

3a629625 by Isaac Bythewood · 1 day ago

Drop X-XSS-Protection from the security headers panel

The header is deprecated in modern browsers (and Caddy no longer sets it),
so flagging its absence produced a permanent fail with no useful signal.
Removed from the dashboard chips, the PDF report, the home-page copy, and
the PropertyContext field.

modified src/models.rs

@@ -104,7 +104,6 @@ pub struct PropertyContext {    pub invalid_cert: bool,    pub has_mime_type: bool,    pub has_content_sniffing_protection: bool,    pub has_xss_protection: bool,    pub has_clickjack_protection: bool,    pub hides_server_version: bool,    pub has_hsts: bool,

modified src/routes/dashboard.rs

@@ -249,10 +249,6 @@ pub async fn build_property_context(        .get("x-content-type-options")        .map(|v| v == "nosniff")        .unwrap_or(false);    let has_xss_protection = lower        .get("x-xss-protection")        .map(|v| v == "1; mode=block")        .unwrap_or(false);    let has_clickjack_protection = lower        .get("x-frame-options")        .map(|v| matches!(v.as_str(), "deny" | "sameorigin" | "allow-from"))

@@ -282,7 +278,6 @@ pub async fn build_property_context(    let has_security_issue = !is_https        || !has_mime_type        || !has_content_sniffing_protection        || !has_xss_protection        || !has_clickjack_protection        || !hides_server_version        || !has_hsts

@@ -348,7 +343,6 @@ pub async fn build_property_context(        invalid_cert,        has_mime_type,        has_content_sniffing_protection,        has_xss_protection,        has_clickjack_protection,        hides_server_version,        has_hsts,

modified templates/pages/home.html

@@ -88,7 +88,7 @@      <div class="feature">        <div class="feature-label">security</div>        <div class="feature-title">Header analysis</div>        <p class="feature-desc">HTTPS, HSTS, HSTS preload, XSS and content-sniffing protection, clickjack defence, and server-version leak checks on every probe.</p>        <p class="feature-desc">HTTPS, HSTS, HSTS preload, content-sniffing protection, clickjack defence, and server-version leak checks on every probe.</p>      </div>    </div>    <div class="col-12 col-md-6 col-lg-4">

modified templates/properties/property.html

@@ -157,10 +157,6 @@          <span class="check-name">Clickjack protection</span>          <span class="chip {% if property.has_clickjack_protection %}chip-ok{% else %}chip-down{% endif %}">{% if property.has_clickjack_protection %}pass{% else %}fail{% endif %}</span>        </div>        <div class="check-list-item">          <span class="check-name">XSS protection</span>          <span class="chip {% if property.has_xss_protection %}chip-ok{% else %}chip-down{% endif %}">{% if property.has_xss_protection %}pass{% else %}fail{% endif %}</span>        </div>        <div class="check-list-item">          <span class="check-name">Hide server version</span>          <span class="chip {% if property.hides_server_version %}chip-ok{% else %}chip-down{% endif %}">{% if property.hides_server_version %}pass{% else %}fail{% endif %}</span>

modified templates/properties/property_report.typ

@@ -184,7 +184,6 @@  text(size: 7.5pt)[HSTS preload], text(size: 7.5pt)[{% if property.has_hsts_preload %}OK{% else %}Issue{% endif %}],  text(size: 7.5pt)[X-Frame-Options], text(size: 7.5pt)[{% if property.has_clickjack_protection %}OK{% else %}Issue{% endif %}],  text(size: 7.5pt)[X-Content-Type-Options], text(size: 7.5pt)[{% if property.has_content_sniffing_protection %}OK{% else %}Issue{% endif %}],  text(size: 7.5pt)[X-XSS-Protection], text(size: 7.5pt)[{% if property.has_xss_protection %}OK{% else %}Issue{% endif %}],  text(size: 7.5pt)[Server header hidden], text(size: 7.5pt)[{% if property.hides_server_version %}OK{% else %}Issue{% endif %}],))