fix: remove X-XSS-Protection header from helmet

ladjs · Jan 4, 2024 · aebb00d · aebb00d
1 parent ec17739
commit aebb00d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/index.js b/index.js
@@ -259,6 +259,12 @@ class Web {
     // (needs to come before i18n so HSTS header gets added)
     if (this.config.helmet) app.use(helmet(this.config.helmet));
 
+    // remove X-XSS-Protection header from Helmet
+    app.use((ctx, next) => {
+      ctx.remove('X-XSS-Protection');
+      return next();
+    });
+
     // i18n
     if (this.config.i18n) {
       // create new @ladjs/i18n instance