Merge pull request #30 from grahamburgsma/allow-no-xss

Allow setting no XSS header
brokenhandsio · Nov 3, 2024 · 0a25315 · 0a25315
2 parents e1369d2 + eaa50ed
commit 0a25315
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/Sources/VaporSecurityHeaders/SecurityHeaders.swift b/Sources/VaporSecurityHeaders/SecurityHeaders.swift
@@ -7,13 +7,17 @@ public struct SecurityHeaders {
     init(contentTypeConfiguration: ContentTypeOptionsConfiguration = ContentTypeOptionsConfiguration(option: .nosniff),
          contentSecurityPolicyConfiguration: ContentSecurityPolicyConfiguration = ContentSecurityPolicyConfiguration(value: ContentSecurityPolicy().defaultSrc(sources: CSPKeywords.`self`)),
          frameOptionsConfiguration: FrameOptionsConfiguration = FrameOptionsConfiguration(option: .deny),
-         xssProtectionConfiguration: XSSProtectionConfiguration = XSSProtectionConfiguration(),
+         xssProtectionConfiguration: XSSProtectionConfiguration? = XSSProtectionConfiguration(),
          hstsConfiguration: StrictTransportSecurityConfiguration? = nil,
          serverConfiguration: ServerConfiguration? = nil,
          contentSecurityPolicyReportOnlyConfiguration: ContentSecurityPolicyReportOnlyConfiguration? = nil,
          referrerPolicyConfiguration: ReferrerPolicyConfiguration? = nil) {
-        configurations = [contentTypeConfiguration, contentSecurityPolicyConfiguration, frameOptionsConfiguration, xssProtectionConfiguration]
+        configurations = [contentTypeConfiguration, contentSecurityPolicyConfiguration, frameOptionsConfiguration]
 
+        if let xssProtectionConfiguration {
+            configurations.append(xssProtectionConfiguration)
+        }
+
         if let hstsConfiguration = hstsConfiguration {
             configurations.append(hstsConfiguration)
         }

diff --git a/Sources/VaporSecurityHeaders/SecurityHeadersFactory.swift b/Sources/VaporSecurityHeaders/SecurityHeadersFactory.swift
@@ -4,7 +4,7 @@ public class SecurityHeadersFactory {
     var contentTypeOptions = ContentTypeOptionsConfiguration(option: .nosniff)
     var contentSecurityPolicy = ContentSecurityPolicyConfiguration(value: ContentSecurityPolicy().defaultSrc(sources: CSPKeywords.`self`))
     var frameOptions = FrameOptionsConfiguration(option: .deny)
-    var xssProtection = XSSProtectionConfiguration()
+    var xssProtection: XSSProtectionConfiguration? = XSSProtectionConfiguration()
     var hsts: StrictTransportSecurityConfiguration?
     var server: ServerConfiguration?
     var referrerPolicy: ReferrerPolicyConfiguration?
@@ -33,7 +33,7 @@ public class SecurityHeadersFactory {
         return self
     }
 
-    @discardableResult public func with(XSSProtection configuration: XSSProtectionConfiguration) -> SecurityHeadersFactory {
+    @discardableResult public func with(XSSProtection configuration: XSSProtectionConfiguration?) -> SecurityHeadersFactory {
         xssProtection = configuration
         return self
     }

diff --git a/Tests/VaporSecurityHeadersTests/HeaderTests.swift b/Tests/VaporSecurityHeadersTests/HeaderTests.swift
@@ -140,6 +140,13 @@ class HeaderTests: XCTestCase {
 
         XCTAssertEqual("0", response.headers[.xssProtection].first)
     }
+
+    func testHeaderWithXssProtectionDisabled() throws {
+        let factory = SecurityHeadersFactory().with(XSSProtection: nil)
+        let response = try makeTestResponse(for: request, securityHeadersToAdd: factory)
+
+        XCTAssertNil(response.headers[.xssProtection].first)
+    }
 
     func testHeaderWithHSTSwithMaxAge() throws {
         let hstsConfig = StrictTransportSecurityConfiguration(maxAge: 30)