X-XSS-Protection: header should be disabled by default

[markdascher]

🌱 Feature Request

Is your feature request related to a problem? Please describe.

The X-XSS-Protection header seems to be falling out of favor across similar projects, since it causes more problems than it solves.

Describe the solution you'd like

The default value for X-XSS-Protection should be changed from 1 to 0. That ensures legacy browsers disable their buggy XSS Protection filters.

Describe alternatives you've considered

An alternative would be to update the README, suggesting projects configure xssProtection: false manually. And potentially updating this chart.

Documentation, Adoption, Migration Strategy

Helmet included this change as part of a major version bump. That's probably the safest way to go?

It's easy enough to work around in the meantime. I'm mainly opening up an issue since there weren't any similar discussions here yet, and I was curious if xssProtection: false is generally recommended now.

Additional context

helmetjs/helmet#230
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header

---

• I've tried to find similar issues and pull requests
• I would like to work on this feature 💪🏻