Remove X-XSS-Protection from defaults

[EddyCwdry]

The header X-Xss-Protection: 1; mode=block is considered unsafe to use and should not be included in the default headers given that it is more likely to introduce vulnerabilities than protect the end user when implemented by a naive developer.

See:

• https://caniuse.com/mdn-http_headers_x-xss-protection
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Extract from MDN for the lazy (emphasis my own):

This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

[andrewlock]

Duplicate of #141 - I'm considering a major version and including this change, thanks 👍