From 8014cf3c03d14592016365077c9b2a077b5a9c71 Mon Sep 17 00:00:00 2001
From: Alexander Matyushentsev <Alexander_Matyushentsev@intuit.com>
Date: Thu, 4 Feb 2021 15:27:31 -0800
Subject: [PATCH] feat: set X-XSS-Protection while serving static content
 (#5412)

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
---
 server/server.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/server.go b/server/server.go
index 2cd04e803f..caaa774a01 100644
--- a/server/server.go
+++ b/server/server.go
@@ -833,6 +833,7 @@ func (server *ArgoCDServer) newStaticAssetsHandler(dir string, baseHRef string)
 		if server.XFrameOptions != "" {
 			w.Header().Set("X-Frame-Options", server.XFrameOptions)
 		}
+		w.Header().Set("X-XSS-Protection", "1")
 
 		// serve index.html for non file requests to support HTML5 History API
 		if acceptHTML && !fileRequest && (r.Method == "GET" || r.Method == "HEAD") {