Correcting X-XSS-Protection Header (NginxProxyManager#136)

OhHeyAlan · jc21 · commit 4fad9d672fe7 · 2019-05-08T10:11:05.000+10:00
* Correcting X-XSS-Protection Header

X-XSS-Protection sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

Was "0"
Now "1; mode=block"

* Update issue templates
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Checklist**
+- Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image?
+- Are you sure you're not using someone else's docker image?
+- If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network?
+
+**Describe the bug**
+- A clear and concise description of what the bug is.
+- What version of Nginx Proxy Manager is reported on the login page?
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Operating System**
+- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error.
+
+**Additional context**
+Add any other context about the problem here, docker version, browser version if applicable to the problem. Too much info is better than too little.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/src/backend/app.js b/src/backend/app.js
@@ -48,7 +48,7 @@ app.use(function (req, res, next) {
 
     res.set({
         'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
-        'X-XSS-Protection':          '0',
+        'X-XSS-Protection':          '1; mode=block',
         'X-Content-Type-Options':    'nosniff',
         'X-Frame-Options':           x_frame_options,
         'Cache-Control':             'no-cache, no-store, max-age=0, must-revalidate',
