ATLAS-5160: Remove deprecated X-XSS-PROTECTION header from HTTP response headers initialization and Atlas Spring Security Config

[aditya-gupta36]

What changes were proposed in this pull request?

1. One of the headers included is X-XSS-PROTECTION, which is now deprecated and no longer supported by modern browsers.

• Remove the X-XSS-PROTECTION response header
• Remove related constants (X_XSS_PROTECTION_KEY, X_XSS_PROTECTION_VAL) if no longer referenced
• Update tests (including HeadersUtilTest, AtlasSecurityConfigTest) accordingly

2. Expected Outcome

• Atlas no longer sends deprecated headers

3. Insights

• So if we still do not pass the XSS-Protection header, it will still be created in the response header with a default value: "1; mode=block""
• So we can disable it at the Spring Security level in the AtlasSecurityConfig class:
• Solution: By adding .headers().xssProtection().disable(), you are explicitly telling the Spring Security framework. So why we selected disabling X_XXX-Protection is: a] Modern browsers have removed support for X-Xss. b] Also, xss functionality is comprehensively and reliably handled by the Content-Security-Policy (CSP) header.

How was the patch tested?

• UI
• mvn build

[Copilot]

Pull request overview

This PR removes the deprecated X-XSS-Protection header from Atlas HTTP responses. The X-XSS-Protection header is no longer supported by modern browsers and has been superseded by the Content-Security-Policy header.

Key Changes:

• Removed X_XSS_PROTECTION_KEY and X_XSS_PROTECTION_VAL constants from HeadersUtil
• Disabled XSS protection at the Spring Security level by adding .xssProtection().disable() to prevent Spring Security from automatically adding the header
• Updated test files to remove assertions and mock configurations related to the deprecated header

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java	Removed X-XSS-Protection constants and removed initialization of the header in the HEADER_MAP
webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java	Added .xssProtection().disable() to the Spring Security configuration to prevent automatic addition of the deprecated header
webapp/src/test/java/org/apache/atlas/web/filters/HeaderUtilsTest.java	Removed test assertion that validated the presence of X-XSS-Protection header
webapp/src/test/java/org/apache/atlas/web/security/AtlasSecurityConfigTest.java	Added mock setup for XXssConfig in both setupHttpSecurityMocksFor and setupHttpSecurityMocks methods to support the new xssProtection().disable() call chain

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment contains a grammatical error. "No Modern Browsers support" should be "No modern browsers support" (lowercase 'm') and should say "support it" for clarity. Consider revising to: "By default Spring Security automatically adds security headers unless you disable them. No modern browsers support it and it's replaced by 'Content-Security-Policy'"

Suggested change

	// Why disable() xssProtection -> By default Spring Security automatically adds security headers unless you disable them. No Modern Browsers support and its replaced by "Content-Security-Policy"
	// Why disable() xssProtection -> By default Spring Security automatically adds security headers unless you disable them. No modern browsers support it and it's replaced by "Content-Security-Policy"