I have installed NC 10 on a hosting site (siteground). Their configuration is an nginx proxy server in front of apache.
When I go to the Admin Panel, I get a series of messages like:
The âX-XSS-Protectionâ HTTP header is not configured to equal to â1; mode=blockâ. This is a potential security or privacy risk and we recommend adjusting this setting
Having raised a Support request with them, it appears that the headers are correct when output from Apache, but are being converted to lower case by nginx before being served to the client; so there is a header âx-xss-protectionâ with the required content.
Indeed there are two of them. due to âbelt and bracesâ checking.
I have found no operational problem in my limited usage, but added unnecessary processing.
Whilst I have a lot of sympathy for the approach that says âWe set them mixed case, so they shouldnât mess with themâ, this may be a sterile debate.
The standard RFC7230 (https://tools.ietf.org/html/rfc7230#page-22) says
3.2. Header Fields
Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.
So would it be possible to make the tests case insensitive in the code?