From 209764b611eb5f12122ec6f3d6de109a20be25d0 Mon Sep 17 00:00:00 2001
From: Mike Crute <mike@crute.us>
Date: Tue, 26 Sep 2023 21:01:39 -0700
Subject: echo: disable old security headers

---
 echo/middleware/strict_secure.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/echo/middleware/strict_secure.go b/echo/middleware/strict_secure.go
index 0b61b92..2705724 100644
--- a/echo/middleware/strict_secure.go
+++ b/echo/middleware/strict_secure.go
@@ -11,12 +11,18 @@ import (
 // the legacy nginx proxy defaults.
 func StrictSecure() echo.MiddlewareFunc {
 	return middleware.SecureWithConfig(middleware.SecureConfig{
-		XFrameOptions:         "SAMEORIGIN",
 		ContentTypeNosniff:    "nosniff",
-		XSSProtection:         "1; mode=block",
 		ReferrerPolicy:        "same-origin",
 		HSTSExcludeSubdomains: false,
 		HSTSPreloadEnabled:    true,
 		HSTSMaxAge:            gltime.ToSeconds(2 * gltime.Year),
+
+		// No longer used, subsumed by the frame-source option of CSP:
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+		XFrameOptions: "",
+
+		// Should never be used according to:
+		// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+		XSSProtection: "",
 	})
 }
-- 
cgit v1.2.3