This PR ensures that the X-XSS-Protection header is present, but always returns "0", as per the advice on the OWASP Secure Headers Project and MDN. Relevant quotes to follow.
⚠️ Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.
Source: https://owasp.org/www-project-secure-headers/#x-xss-protection
Fixes #73
Warning
This PR ensures that the X-XSS-Protection header is present, but always returns "0", as per the advice on the OWASP Secure Headers Project and MDN. Relevant quotes to follow.
See #73 for further detail