Should x-xss-protection default to “0” instead of “1; mode=block” #439
Description
Related https://github.com/helmetjs/x-xss-protection/issues/14
There’s some good discussion there. The owasp consensus is that it does more harm than good.
We’ve always allowed people to override this setting, but maybe we should change the default.