Solved: Re: magento 2 X-XSS-Protection header gets set twi...

michele_canal · ‎02-25-2019

Hi,
I use magento 2 (version 2.3) and cloudFlare.

There is an error with http headers: X-XSS-Protection header gets set twice because magento add this and then ClouFlare add again.
See this post

It's not possible to remove CloudFlare headers, so I would like to remove magento XSS header.

I found the solution editing /vendor/magento/framework/App/Response/HeaderProvider/XssProtection.php:
I change

const HEADER_ENABLED = '1; mode=block';

to

const HEADER_ENABLED = '0';

But I don't want editing the core file. I would like to override it.
Can you explain me how, please?
Thanks

gelanivishal · ‎02-25-2019

Hello @michele_canal ,

I hope that you have basic knowledge of create a module in magento 2. You can override with below way

Create di.xml file in Folder Modulename/Extendfiles/etc directory

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<preference for="Magento\Framework\App\Response\HeaderProvider\XssProtection" type="Modulename\Extendfiles\App\Response\HeaderProvider\XssProtection" />
</config>

--
If my answer is useful, please Accept as Solution & give Kudos

View solution in original post

gelanivishal · ‎02-25-2019