X-XSS-Protection header gets set twice - override XssProtection.php

magento.stackexchange https://magento.stackexchange.com/questions/263247

Question

I use magento 2 (version 2.3) and cloudFlare.

There is an error with http headers: X-XSS-Protection header gets set twice because magento add this and then ClouFlare add again. See this post

It's not possible to remove CloudFlare headers, so I would like to remove magento XSS header.

I found the solution editing /vendor/magento/framework/App/Response/HeaderProvider/XssProtection.php: I change 

const HEADER_ENABLED = '1; mode=block';

to

const HEADER_ENABLED = '0';

But I don't want editing the core file. I would like to override it. Can you explain me how, please? Thanks

Was it helpful?

Solution

You need to modify getValue method. Try following way:

app/code/SR/MagentoCommunity/etc/di.xml


<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
    <type name="Magento\Framework\App\Response\HeaderProvider\XssProtection">
        <plugin name="disable_xssprotection_header"
                type="SR\MagentoCommunity\Plugin\Framework\App\Response\HeaderProvider\XssProtection" sortOrder="1"/>
    </type>
</config>

app/code/SR/MagentoCommunity/Plugin/Framework/App/Response/HeaderProvider/XssProtection.php


<?php
namespace SR\MagentoCommunity\Plugin\Framework\App\Response\HeaderProvider;

class XssProtection
{
    public function aroundGetValue(
        \Magento\Framework\App\Response\HeaderProvider\XssProtection $subject,
        \Closure $proceed
    ) {
        return 0;
    }
}

Another solution:

You can avoid completely this header. In that case, you need to replace the following class.

app/code/SR/MagentoCommunity/Plugin/Framework/App/Response/HeaderProvider/XssProtection.php


<?php
namespace SR\MagentoCommunity\Plugin\Framework\App\Response\HeaderProvider;

class XssProtection
{
    public function aroundCanApply(
        \Magento\Framework\App\Response\HeaderProvider\XssProtection $subject,
        \Closure $proceed
    ) {
       return false;
    }
}
Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top