switches default value for security settings (#25175)

closes #25163

switches default value for security settings (#25175)
closes #25163
328ea80c · Carl Bergquist · GitHub · 3833aa41 · 328ea80c · 328ea80c
Commit 328ea80c authored May 28, 2020 by Carl Bergquist Committed by GitHub May 28, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 10 deletions

conf/defaults.ini
+4 -4

conf/sample.ini
+4 -4

pkg/setting/setting.go
+2 -2

No files found.
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -202,12 +202,12 @@ strict_transport_security_subdomains = false

 # Set to true to enable the X-Content-Type-Options response header.
 # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
-# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3.
-x_content_type_options = false
+# in the Content-Type headers should not be changed and be followed.
+x_content_type_options = true

 # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
-# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3.
-x_xss_protection = false
+# when they detect reflected cross-site scripting (XSS) attacks.
+x_xss_protection = true


 #################################### Snapshots ###########################

--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -203,12 +203,12 @@

 # Set to true to enable the X-Content-Type-Options response header.
 # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
-# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3.
-;x_content_type_options = false
+# in the Content-Type headers should not be changed and be followed.
+;x_content_type_options = true

 # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
-# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3.
-;x_xss_protection = false
+# when they detect reflected cross-site scripting (XSS) attacks.
+;x_xss_protection = true

 #################################### Snapshots ###########################
 [snapshots]

--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -751,8 +751,8 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {

 	AllowEmbedding = security.Key("allow_embedding").MustBool(false)

-	ContentTypeProtectionHeader = security.Key("x_content_type_options").MustBool(false)
-	XSSProtectionHeader = security.Key("x_xss_protection").MustBool(false)
+	ContentTypeProtectionHeader = security.Key("x_content_type_options").MustBool(true)
+	XSSProtectionHeader = security.Key("x_xss_protection").MustBool(true)
 	StrictTransportSecurity = security.Key("strict_transport_security").MustBool(false)
 	StrictTransportSecurityMaxAge = security.Key("strict_transport_security_max_age_seconds").MustInt(86400)
 	StrictTransportSecurityPreload = security.Key("strict_transport_security_preload").MustBool(false)