Disable X-XSS-Protection by default

[krzysdz]

The X-XSS-Protection header is supported only by Internet Explorer, which is supported only on Windows 10 LTSC and Windows Server. All other browsers have removed their XSSAuditors or have never implemented it for security and maintenance reasons:

• Firefox: never implemented (bug 528661)
• Edge: removed in 2018 (Insider Preview what's new)
• Chrome: removed in 2019 (feature status, bug 968591)
• Safari: removed in early 2022 (Safari 15.4 release notes, WebKit features in Safari 15.4, bug 230483)
• Internet Explorer: supported, but the browser has been disabled on certain Windows 10 versions and is not available on Windows 11 (IE 11 retirement FAQ)

Since it isn't supported by any modern browser and it can introduce additional security vulnerabilities in the outdated browsers that support it, the x_xss_protection option should default to False.

[Jonakemon]

I like the idea. A header less saves a few bytes as well :) I'll open up a PR in a sec.