Description of problem: Customer is reporting that their pentests are failing (low severity) because the X-XSS-Protection header (to prevent cross-site scripting attacks) is missing on the OpenShift console. Version-Release number of selected component (if applicable): All 3.x How reproducible: Always Steps to Reproduce: 1. pentest the console using Kali Actual results: X-XSS-Protection header test fails Expected results: X-XSS-Protection header test succeeds Additional info:
What HTTP response specifically is missing this header? Both the 3.11 and 4.1 web consoles do have it set.
This response comes from the API server. Updating the component. The console itself has the header.