From 328ea80ccac76bf8cd0e1a19c6a6d55abd98f3ae Mon Sep 17 00:00:00 2001 From: Carl Bergquist Date: Thu, 28 May 2020 10:38:22 +0200 Subject: [PATCH] switches default value for security settings (#25175) closes #25163 --- conf/defaults.ini | 8 ++++---- conf/sample.ini | 8 ++++---- pkg/setting/setting.go | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/conf/defaults.ini b/conf/defaults.ini index c1912f6b0c3..80b0631b2b0 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -202,12 +202,12 @@ strict_transport_security_subdomains = false # Set to true to enable the X-Content-Type-Options response header. # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised -# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3. -x_content_type_options = false +# in the Content-Type headers should not be changed and be followed. +x_content_type_options = true # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading -# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3. -x_xss_protection = false +# when they detect reflected cross-site scripting (XSS) attacks. +x_xss_protection = true #################################### Snapshots ########################### diff --git a/conf/sample.ini b/conf/sample.ini index 8c4b125a7a9..d71c8b3a594 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -203,12 +203,12 @@ # Set to true to enable the X-Content-Type-Options response header. # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised -# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3. -;x_content_type_options = false +# in the Content-Type headers should not be changed and be followed. +;x_content_type_options = true # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading -# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3. -;x_xss_protection = false +# when they detect reflected cross-site scripting (XSS) attacks. +;x_xss_protection = true #################################### Snapshots ########################### [snapshots] diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index c23f23b00bf..e5cd361b58a 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -751,8 +751,8 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error { AllowEmbedding = security.Key("allow_embedding").MustBool(false) - ContentTypeProtectionHeader = security.Key("x_content_type_options").MustBool(false) - XSSProtectionHeader = security.Key("x_xss_protection").MustBool(false) + ContentTypeProtectionHeader = security.Key("x_content_type_options").MustBool(true) + XSSProtectionHeader = security.Key("x_xss_protection").MustBool(true) StrictTransportSecurity = security.Key("strict_transport_security").MustBool(false) StrictTransportSecurityMaxAge = security.Key("strict_transport_security_max_age_seconds").MustInt(86400) StrictTransportSecurityPreload = security.Key("strict_transport_security_preload").MustBool(false)