From 60b239e2d76e53d8c59b77c48e1f370bfdaa0c19 Mon Sep 17 00:00:00 2001 From: Bastian Gutschke Date: Wed, 19 Jul 2017 16:35:49 +0200 Subject: [PATCH] bkkvbu: disable X-XSS-Protection (set via application) --- .../bkk-vbu/dev-web01-meine-krankenkasse-de.pixelpark.net.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/customer/bkk-vbu/dev-web01-meine-krankenkasse-de.pixelpark.net.yaml b/customer/bkk-vbu/dev-web01-meine-krankenkasse-de.pixelpark.net.yaml index 2131bd36..ea097d49 100644 --- a/customer/bkk-vbu/dev-web01-meine-krankenkasse-de.pixelpark.net.yaml +++ b/customer/bkk-vbu/dev-web01-meine-krankenkasse-de.pixelpark.net.yaml @@ -43,7 +43,8 @@ infra::profile::apache::pp_vhosts: headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' - - 'set X-XSS-Protection: "1; mode=block"' + # X-XSS-Protection set by helmetjs (https://helmetjs.github.io/) + # - 'set X-XSS-Protection: "1; mode=block"' - 'set X-Frame-Options: "ALLOW-FROM https://dev-cms01-meine-krankenkasse-de.pixelpark.net"' - "set Content-Security-Policy: \"default-src 'self'; img-src 'self' webstats.pixelpark.com bkk-vorteilsrechner.de s.ytimg.com f.vimeocdn.com data:; font-src 'self' bkk-vorteilsrechner.de; style-src 'self' 'unsafe-inline' bkk-vorteilsrechner.de s.ytimg.com f.vimeocdn.com; script-src 'self' 'unsafe-inline' webstats.pixelpark.com bkk-vorteilsrechner.de s.ytimg.com f.vimeocdn.com; child-src 'self' bkk-vorteilsrechner.de www.youtube-nocookie.com player.vimeo.com; frame-ancestors 'self'\"" - "set X-Content-Security-Policy: \"default-src 'self'; img-src 'self' webstats.pixelpark.com bkk-vorteilsrechner.de s.ytimg.com f.vimeocdn.com data:; font-src 'self' bkk-vorteilsrechner.de; style-src 'self' 'unsafe-inline' bkk-vorteilsrechner.de s.ytimg.com f.vimeocdn.com; script-src 'self' 'unsafe-inline' webstats.pixelpark.com bkk-vorteilsrechner.de s.ytimg.com f.vimeocdn.com; child-src 'self' bkk-vorteilsrechner.de www.youtube-nocookie.com player.vimeo.com; frame-ancestors 'self'\"" -- 2.39.5