checker: align X-XSS-Protection severities with OWASP

Absent is now OK (OWASP recommends leaving it unset or set to 0), and filtering mode (bare 1 or 1; report=...) is Warn since selective script rewriting can itself introduce XSS. 1; mode=block stays Info.
2026-06-18 10:50:51 +09:00 · 2026-06-18 10:50:51 +09:00 · a652692ba4
commit a652692ba4
parent f4b8941a3d
3 changed files with 8 additions and 6 deletions
--- a/checker/rules_security_headers.go
+++ b/checker/rules_security_headers.go
@ -63,9 +63,9 @@ func init() {
 		Inspect:     inspectXXSSProtection,
 		OnMissing: func(_ HTTPProbe, _ sdk.CheckerOptions) []HeaderResult {
 			return []HeaderResult{{
-				Status:  sdk.StatusInfo,
+				Status:  sdk.StatusOK,
 				Suffix:  "absent",
-				Message: "X-XSS-Protection is not set; CSP is the recommended replacement.",
+				Message: "X-XSS-Protection is not set, which is acceptable (OWASP recommends leaving it unset or setting `0`); CSP is the proper protection.",
 			}}
 		},
 	}))
@ -235,8 +235,8 @@ func inspectXXSSProtection(value string, _ HTTPProbe, _ sdk.CheckerOptions) []He
 		}}
 	default:
 		return []HeaderResult{{
-			Status: sdk.StatusInfo, Suffix: "enabled",
-			Message: "X-XSS-Protection is enabled. Modern browsers ignore this header; CSP is the proper replacement.",
+			Status: sdk.StatusWarn, Suffix: "filtering",
+			Message: "X-XSS-Protection is in filtering mode (e.g. `1` or `1; report=...`). Selective script rewriting can itself introduce XSS in otherwise-safe pages. Set `0` or use `1; mode=block`, and rely on CSP instead.",
 		}}
 	}
 }