Spring Security XSS protection should be set to 0 by default per updated OWASP recommendation

Expected Behavior

By default, Spring Security should send this HTTP header: X-XSS-Protection: 0

Current Behavior

By default, Spring Security sends this HTTP header: X-XSS-Protection: 1; mode=block

Context OWASP has updated its recommendation regarding the X-XSS-Protection HTTP header.

OWASP used to recommend the header be set to 1; mode=block, which is what Spring Security does by default today. See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers-xss-protection

However, they now recommend the header be set to 0

See https://github.com/OWASP/CheatSheetSeries/issues/376

Comment From: rwinch

Thanks for the report. Given this breaks passivity, I've assigned it for the 6.x release

Comment From: blacelle

While this can be easily configured in HeadersConfigurer.xssProtection():

.xssProtection()
.xssProtectionEnabled(false)

It is more complicated with ServerHttpSecurity.HeaderSpec.xssProtection() as the header can only be removed (instead of configured to 0 / the recommended value).

Comment From: Kehrlann

Hey there 👋 I'm interested in picking this one up.