I'm trying to set the X-XSS-Protection header to "0" in Rails 3.2.8 to prevent Internet Explorer from throwing XSS errors. See more details about the header in this question and this article. I'm currently using this in my application controller:
class ApplicationController < ActionController::Base
before_filter :set_headers
def set_headers
response.headers['X-XSS-Protection'] = "0"
end
end
In development, this sets the header just fine. curl -i http://localhost:3000 returns:
X-XSS-Protection: 0
But in production, (curl -i http://production-app.com) the header is improperly lowercased, and IE seems to ignore it.
X-Xss-Protection: 0
Does anyone have any idea why this is happening?
