X-XSS-Protection issues

[stanley101music]

According to OWASP Secure Headers Project, the X-XSS-Protection header is deprecated.

Although I didn't find a formal RFC or document saying it's deprecated, The caniuse shows that almost all modern browsers are not supporting this HTTP header, and MDN also mentioned that this is non-standard and recommends using Content-Security-Policy instead.

Perhaps X-XSS-Protection should have the issue as Deprecated Header in addition to Unsafe Value and Duplicated Values

P.S. There might be a typo In insecure.txt, where v is lower case in Content-Security-Policy: Incorrect values and others are Values

[rfc-st]

Hi!,

You're absolutely right: it's time for 'humble' to clearly warn that X-XSS-Protection is deprecated (it might make some sense in older browsers that don't support CSP, but ironically enabling this header -with values other than '0'- can introduce XSS vulnerabilities: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).

Added new check in: https://github.com/rfc-st/humble/commit/1c3c3dc6b4680adefddbc4c0edbe040e179c2d56

I have also fixed the typo in the insecure.txt file.

Thank you!.

Best regards,