checker: align X-XSS-Protection severities with OWASP

Absent is now OK (OWASP recommends leaving it unset or set to 0), and filtering mode (bare 1 or 1; report=...) is Warn since selective script rewriting can itself introduce XSS. 1; mode=block stays Info.
2026-06-18 10:50:51 +09:00 · 2026-06-18 10:50:51 +09:00 · a652692ba4
commit a652692ba4
parent f4b8941a3d
3 changed files with 8 additions and 6 deletions
--- a/checker/rules_security_headers_test.go
+++ b/checker/rules_security_headers_test.go
@ -260,9 +260,11 @@ func TestXXSSProtectionRule(t *testing.T) {
 		want sdk.Status
 		code string
 	}{
-		{"", sdk.StatusInfo, "http.x_xss_protection.absent"},
+		{"", sdk.StatusOK, "http.x_xss_protection.absent"},
 		{"0", sdk.StatusOK, "http.x_xss_protection.disabled"},
 		{"1; mode=block", sdk.StatusInfo, "http.x_xss_protection.enabled"},
+		{"1", sdk.StatusWarn, "http.x_xss_protection.filtering"},
+		{"1; report=https://example.com/r", sdk.StatusWarn, "http.x_xss_protection.filtering"},
 	}
 	for _, c := range cases {
 		p := httpsProbe("a:443")