From 8046d27bab4660e409c08f97ba2a4ec281579d4f Mon Sep 17 00:00:00 2001
From: Ercan <eposta@ercanermis.com>
Date: Thu, 12 Mar 2026 15:51:07 +0100
Subject: [PATCH] Align X-Frame-Options with CSP and add missing
 X-XSS-Protection header

Two issues in the SecurityHeadersMiddleware configuration:

1. setXFrameOptions() was called without an argument, which defaults
   to SAMEORIGIN. The comment above explicitly states 'Don't allow
   framing the site', and ContentSecurityPolicyMiddleware already sets
   'frame-ancestors none' in the CSP. The X-Frame-Options header was
   inconsistently weaker than the declared CSP policy.
   Fix: pass 'deny' to match the intent and the CSP.

2. The comment 'Tell browser to block XSS attempts' was present but
   setXssProtection() was never called, leaving X-XSS-Protection
   absent from responses. While modern browsers rely on CSP over this
   legacy header, it provides defence-in-depth for older user agents.
   Fix: add ->setXssProtection() to the chain.
---
 src/Application.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Application.php b/src/Application.php
index e87c0fc9ab..8e504b620c 100644
--- a/src/Application.php
+++ b/src/Application.php
@@ -146,7 +146,8 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
             $headers
                 ->setCrossDomainPolicy()
                 ->setReferrerPolicy()
-                ->setXFrameOptions()
+                ->setXFrameOptions('deny')
+                ->setXssProtection()
                 ->noOpen()
                 ->noSniff();