Magento2: X-XSS-Protection header gets set twice

The same with https and even HTTP2

I got some error with my ssl.

The X-XSS-Protection header is being set in the XssProtection class.

I noticed we were also setting this header in our Nginx configuration file: add_header 'X-XSS-Protection' '1; mode=block;'; Removing this line fixed the issue.

I recommend checking your Nginx or Apache configuration for any lines that might be setting this header and remove them.

I have seen all three security headers set twice on many Magento 2 instances running on NGINX. The problem is that most nginx.conf files already include the same headers that Magento 2 is outputting. So what you get is something like this in the response headers:

X-Content-Type-Options:nosniff
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
X-XSS-Protection:1; mode=block

with an error in Chrome console like this:

Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied

Most people just recommend commenting out the add_header lines from the nginx.conf, but this can be problematic when other applications or sites on the same server need such securities in place. Consider the case when running M1 and M2 sites side-by-side on the same server. Magento 1 does not output all three headers as M2 does, it only added X-Frame-Options SAMEORIGIN since 1.9.x. In this scenario, the safer suggestion is to comment out the three add_header lines in the nginx.conf file to fix M2 duplicate headers output

#add_header X-Frame-Options SAMEORIGIN; ## added by mage core since CE 1.9.x
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";

and then for each M1 site, include the two add_header lines (X-Content-Type-Options and X-XSS-Protection) to each sites-enabled .conf file in the server block:

```
server {
...
...
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
...
}

@craigcarnell, thank you for your report.
We were not able to reproduce this issue by following the steps you provided. If you'd like to update it, please reopen the issue.
We tested the issue on 2.3.0-dev, 2.2.0, 2.1.9

For anyone that comes here: In addition to checking that the web-server (e.g. nginx) is not adding these extra headers, also check the load-balancer (e.g. haproxy), if there is one. In my case haproxy was adding these.

@vaimo-wilko you are right. In my case was the same thing. Proxy was added this header second time.
However, there should be possibility to disable X-XSS-Protection header in Magento because in most cases proxy handles more than one site.

@magento-engcom-team I don't know how you couldn't reproduce it with the supplied info. The issue is that we can't turn off the added header. We have proxies and Nginx configs already set in place and Magento is adding an additional header.

@magento-engcom-team, I was able to reproduce it. It appears this is only an issue with "production" mode enabled. However, it doesn't appear to me in "developer" mode using an Ubuntu 14, NGNIX based installation.

Magento 2.2.2, PHP 7.0.X

Thanks @michaelstephenson updating NGINX config to stop header at NGINX level resolves this issue

Open .htacces in magento 1 root file and find 'X-XSS' you get below line

Header set X-XSS-Protection: "1; mode=block" env=!ie8
assigne '#' befrore this line

@akssaiyad unfortunately this is the Magento 2 repository