I have installed NC 10 on a hosting site (siteground). Their configuration is an nginx proxy server in front of apache.
When I go to the Admin Panel, I get a series of messages like:
The “X-XSS-Protection” HTTP header is not configured to equal to “1; mode=block”. This is a potential security or privacy risk and we recommend adjusting this setting
Having raised a Support request with them, it appears that the headers are correct when output from Apache, but are being converted to lower case by nginx before being served to the client; so there is a header “x-xss-protection” with the required content.
Indeed there are two of them. due to “belt and braces” checking.
I have found no operational problem in my limited usage, but added unnecessary processing.
Whilst I have a lot of sympathy for the approach that says “We set them mixed case, so they shouldn’t mess with them”, this may be a sterile debate.
The standard RFC7230 (https://tools.ietf.org/html/rfc7230#page-22) says
3.2. Header Fields
Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.
So would it be possible to make the tests case insensitive in the code?