Fixed #30680 -- Removed obsolete system check for SECURE_BROWSER_XSS_FILTER setting.

2 files changed, 6 insertions, 1 deletions

diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt
index b1f9e085b4..99f4e1d316 100644
--- a/docs/ref/checks.txt
+++ b/docs/ref/checks.txt
@@ -369,7 +369,8 @@ The following checks are run if you use the :option:`check --deploy` option:
   set to ``True``, so your pages will not be served with an
   ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
   this header to activate the browser's XSS filtering and help prevent XSS
-  attacks.
+  attacks. *This check is removed in Django 3.0 as the ``X-XSS-Protection``
+  header is no longer honored by modern browsers.*
 * **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to
   ``True``. Unless your site should be available over both SSL and non-SSL
   connections, you may want to either set this setting to ``True`` or configure
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 6aed2f862f..1c845b0df1 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2182,6 +2182,10 @@ Default: ``False``
 If ``True``, the :class:`~django.middleware.security.SecurityMiddleware` sets
 the :ref:`x-xss-protection` header on all responses that do not already have it.
 
+Modern browsers don't honor ``X-XSS-Protection`` HTTP header anymore. Although
+the setting offers little practical benefit, you may still want to set the
+header if you support older browsers.
+
 .. setting:: SECURE_CONTENT_TYPE_NOSNIFF
 
 ``SECURE_CONTENT_TYPE_NOSNIFF``