From 4db1e7c4454ea05c524be4cc385ede1bab2e1be4 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Mon, 24 Oct 2016 11:31:41 -0400
Subject: Set X-XSS-Protection HTTP response header to '1'.

This HTTP response header enables the Cross-site scripting (XSS) filter
built into some modern web browsers. This header is usually enabled by
default anyway, so the role of this header is to re-enable the filter
if it was disabled maliciously, or by accident.
---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 5e27a9e4..e68b9ebe 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %>
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
+    Header always set X-XSS-Protection "1; mode=block"
     Header always set X-Content-Type-Options: nosniff
   </IfModule>
 
-- 
cgit v1.2.3