v0.3.0: Deprecate X-XSS-Protection header

Breaking Change

The default for security_headers_xss changed from off to unset:

• Previously: Sent X-XSS-Protection: 0 by default
• Now: Actively removes the X-XSS-Protection header from responses

To restore the previous behavior, use:

security_headers_xss off;

Why this change?

The X-XSS-Protection header is deprecated. Modern browsers don't support it, and in browsers that do support it, it introduces XSS vulnerabilities.

New unset option

The new unset value actively removes the header from responses, including any set by upstream/proxied servers. This is now the default.

Value	Behavior
unset (default)	Actively removes the header
omit	Does nothing; allows upstream headers through
off	Sends X-XSS-Protection: 0
on	Sends X-XSS-Protection: 1
block	Sends X-XSS-Protection: 1; mode=block

v0.2.0: Cross-Origin Security Headers

What's New

This release adds support for three Cross-Origin HTTP security headers as requested in #17:

New Directives

Directive	Values	Default
security_headers_corp	same-site, same-origin, cross-origin, omit	same-site
security_headers_coop	same-origin, same-origin-allow-popups, unsafe-none, omit	omit
security_headers_coep	require-corp, credentialless, unsafe-none, omit	omit

Design Decisions

• CORP defaults to same-site - Safe opt-out default that only affects how YOUR resources are embedded elsewhere
• COOP/COEP default to omit - Opt-in because they can break popup communication and third-party resources
• COEP includes credentialless - Provides a middle ground for cross-origin isolation

Cross-Origin Isolation

To enable full cross-origin isolation (required for SharedArrayBuffer):

security_headers on;
security_headers_corp same-origin;
security_headers_coop same-origin;
security_headers_coep require-corp;

⚠️ Warning: Full isolation will break loading any cross-origin resources without proper CORS headers.

References

• MDN: Cross-Origin-Resource-Policy
• MDN: Cross-Origin-Opener-Policy
• MDN: Cross-Origin-Embedder-Policy
• web.dev: Cross-Origin Isolation Guide

Fixes #17

v0.1.2

What's Changed

• More headers to hide, more tests, if replaced by switch by @novashdima in #23

New Contributors

• @novashdima made their first contribution in #23

Full Changelog: 0.1.1...0.1.2

v0.1.1

Fixed issue with scheme extraction (#22), thanks to @kosmas-valianos for the contribution.

v0.1.0

Fixed

• HSTS set to 1 year instead of 2 years by default (#18)
• New default X-XSS-Protection: 0, see #19

v0.0.11

Fixed

• Sending HSTS header no longer requires building with OpenSSL #12
• Fixes HSTS preload was not added by default #15

v0.0.10

• Ability to opt-out of added preload addition for HSTS, using security_headers_hsts_preload off;.
• Remove X-Application-Version header
• For adding HSTS, check URL protocol instead of connection protocol to be 'https://' #12

v0.0.9

• Hide more server tokens
• Optimization (e.g. don't send X-Frame-Options for non-HTML)

v0.0.8

Added security_headers_referrer_policy directive

v0.0.7

• Reliable header replacement
• Added HSTS