Set X-XSS-Protection to 1; mode=block.

yesod-core/ChangeLog.md

@@ -1,3 +1,7 @@
+## 1.6.8
+
+* Sets the `X-XSS-Protection` header to `1; mode=block` [#1550](https://github.com/yesodweb/yesod/pull/1550)
+
 ## 1.6.7
 
 * If no matches are found, `selectRep` chooses first representation regardless

yesod-core/Yesod/Core/Class/Yesod.hs

@@ -337,12 +337,14 @@ defaultShouldLogIO :: LogSource -> LogLevel -> IO Bool
 defaultShouldLogIO _ level = return $ level >= LevelInfo
 
 -- | Default implementation of 'yesodMiddleware'. Adds the response header
--- \"Vary: Accept, Accept-Language\" and performs authorization checks.
+-- \"Vary: Accept, Accept-Language\", \"X-XSS-Protection: 1; mode=block\", and
+-- performs authorization checks.
 --
 -- Since 1.2.0
 defaultYesodMiddleware :: Yesod site => HandlerFor site res -> HandlerFor site res
 defaultYesodMiddleware handler = do
     addHeader "Vary" "Accept, Accept-Language"
+    addHeader "X-XSS-Protection" "1; mode=block"
     authorizationCheck
     handler
 

yesod-core/test/YesodCoreTest/Header.hs

@@ -69,9 +69,16 @@ header3Test = do
     assertHeader "michael" "snoyman" res
     assertHeader "yesod" "book" res
 
+xssHeaderTest :: IO ()
+xssHeaderTest = do
+  runner $ do
+    res <- request defaultRequest {pathInfo = decodePathSegments "/header1"}
+    assertHeader "X-XSS-Protection" "1; mode=block" res
+
 headerTest :: Spec
 headerTest =
   describe "Test.Header" $ do
     it "addHeader" addHeaderTest
     it "multiple header" multipleHeaderTest
     it "persist headers" header3Test
+    it "has X-XSS-Protection: 1; mode=block" xssHeaderTest

yesod-core/yesod-core.cabal

@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.6.7
+version:         1.6.8
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>