Hello Zimbra Customers, Partners & Friends,
In the past Zimbra recommended to set the X-XSS-Protection HTTP response header. This header used to enable additional protection against cross-site scripting (XSS) attacks in some web browsers. However this header is now deprecated and support is removed from most browsers. In case you have configured Zimbra to use the X-XSS-Protection header or if you are unsure if your Zimbra uses it, you can follow below steps to verify and disable the header. As continued use of the header may introduce new security vulnerabilities.
Verify and configure response headers
To find out the current response headers that Zimbra is configured to use, issue the following commands:
sudo su zimbra -
zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000; includeSubDomains
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: X-Content-Type-Options: nosniff
zimbraResponseHeader: X-Robots-Tag: noindex
Here you can see that the `X-XSS-Protection` header is actually in use. To remove the header issue the following commands:
zmprov mcf -zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
Please note that you may not see the change until the browser cache is flushed.
Hardening Zimbra security
In case you are interested in further hardening your Zimbra security take a look at the following wiki pages:
Further reading about the X-XSS-Protection header deprecation
In case you are interested to learn more about the deprecation of the X-XSS-Protection header, check below links: