cancel
Showing results for 
Search instead for 
Did you mean: 

magento 2 X-XSS-Protection header gets set twice - override XssProtection.php

SOLVED

magento 2 X-XSS-Protection header gets set twice - override XssProtection.php

Hi,
I use magento 2 (version 2.3) and cloudFlare.

There is an error with http headers: X-XSS-Protection header gets set twice because magento add this and then ClouFlare add again.
See this post

It's not possible to remove CloudFlare headers, so I would like to remove magento XSS header.

I found the solution editing /vendor/magento/framework/App/Response/HeaderProvider/XssProtection.php:
I change

const HEADER_ENABLED = '1; mode=block';

to

const HEADER_ENABLED = '0';

But I don't want editing the core file. I would like to override it.
Can you explain me how, please?
Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: magento 2 X-XSS-Protection header gets set twice - override XssProtection.php

Hello @michele_canal ,

 

I hope that you have basic knowledge of create a module in magento 2. You can override with below way

 

Create di.xml file in Folder Modulename/Extendfiles/etc directory

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<preference for="Magento\Framework\App\Response\HeaderProvider\XssProtection" type="Modulename\Extendfiles\App\Response\HeaderProvider\XssProtection" />
</config>


--
If my answer is useful, please Accept as Solution & give Kudos

View solution in original post

1 REPLY 1

Re: magento 2 X-XSS-Protection header gets set twice - override XssProtection.php

Hello @michele_canal ,

 

I hope that you have basic knowledge of create a module in magento 2. You can override with below way

 

Create di.xml file in Folder Modulename/Extendfiles/etc directory

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<preference for="Magento\Framework\App\Response\HeaderProvider\XssProtection" type="Modulename\Extendfiles\App\Response\HeaderProvider\XssProtection" />
</config>


--
If my answer is useful, please Accept as Solution & give Kudos