Disable x-xss-protection by default

[jiheon-dev]

As you know, Google Chrome Developers disabled XSS Auditor. Developers should be able to disable the auditor for older browsers and set it to 0. The x-xss-protection header was found to have a multitude of issues, instead of helping the developers protect their application. (e.g. Bypass x-xss-protection header)

The following discussion describes the issue at hand with more references:

https://github.com/OWASP/CheatSheetSeries/issues/376 https://github.com/OWASP/CheatSheetSeries/pull/378

Available for further discussions 😄