Contrary to what the doc claims, CORS is no defence

[jub0bs]

The file content/docs/operating/security.md contains the following passage:

For non-mutating endpoints, you may wish to set CORS headers such as Access-Control-Allow-Origin in your reverse proxy to prevent XSS.

However, this passage is problematic, because CORS is no defence against XSS. In fact, CORS is no defence at all; quite the opposite, since its goal is to relax the Same-Origin Policy.

This passage should be reworded or even removed.