aboutsummaryrefslogtreecommitdiffstats
path: root/server/sonar-webserver/src
diff options
context:
space:
mode:
Diffstat (limited to 'server/sonar-webserver/src')
-rw-r--r--server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java6
-rw-r--r--server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java2
-rw-r--r--server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java8
3 files changed, 8 insertions, 8 deletions
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
index afb7332af2c..ce0687a7011 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/SecurityServletFilter.java
@@ -83,11 +83,11 @@ public class SecurityServletFilter implements Filter {
}
// Cross-site scripting
- // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
+ // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
+ httpResponse.setHeader("X-XSS-Protection", "0");
// MIME-sniffing
- // See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ // See https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
httpResponse.setHeader("X-Content-Type-Options", "nosniff");
}
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
index 338c346eee1..1ab54b7902d 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/app/SecurityErrorReportValveTest.java
@@ -54,7 +54,7 @@ public class SecurityErrorReportValveTest {
underTest.invoke(request, response);
verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
- verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+ verify(response).setHeader("X-XSS-Protection", "0");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
}
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
index 14805dc0ed0..500deeb7e5e 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/SecurityServletFilterTest.java
@@ -99,7 +99,7 @@ public class SecurityServletFilterTest {
underTest.doFilter(request, response, chain);
verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
- verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+ verify(response).setHeader("X-XSS-Protection", "0");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
assertNull(response.getHeader("Strict-Transport-Security"));
}
@@ -112,7 +112,7 @@ public class SecurityServletFilterTest {
underTest.doFilter(request, response, chain);
verify(response).setHeader("X-Frame-Options", "SAMEORIGIN");
- verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+ verify(response).setHeader("X-XSS-Protection", "0");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
verify(response).setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");
}
@@ -124,7 +124,7 @@ public class SecurityServletFilterTest {
underTest.doFilter(request, response, chain);
verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
- verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+ verify(response).setHeader("X-XSS-Protection", "0");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
}
@@ -138,7 +138,7 @@ public class SecurityServletFilterTest {
underTest.doFilter(request, response, chain);
verify(response, never()).setHeader(eq("X-Frame-Options"), anyString());
- verify(response).setHeader("X-XSS-Protection", "1; mode=block");
+ verify(response).setHeader("X-XSS-Protection", "0");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-07 09:15:35 +0000