From cf56fc9182ed2c23e7c0d99da1ff8e7a4659bedd Mon Sep 17 00:00:00 2001
From: Rahul Zhade <rzhade3@users.noreply.github.com>
Date: Thu, 8 Aug 2024 20:09:11 -0400
Subject: [PATCH] Update default X-XSS-Protection value to 0 (#479)

This PR updates the default value of the `X-XSS-Protection` header to 0.
There's further discussion here about the reasons for this:
https://github.com/github/secure_headers/issues/439.

## All PRs:

* [x] Has tests
* [x] Documentation updated

Closes https://github.com/github/secure_headers/issues/439
---
 README.md                                      | 2 +-
 lib/secure_headers/headers/x_xss_protection.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a43004b5..1683c84f 100644
--- a/README.md
+++ b/README.md
@@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
 X-Download-Options: noopen
 X-Frame-Options: sameorigin
 X-Permitted-Cross-Domain-Policies: none
-X-Xss-Protection: 1; mode=block
+X-Xss-Protection: 0
 ```
 
 ## API configurations
diff --git a/lib/secure_headers/headers/x_xss_protection.rb b/lib/secure_headers/headers/x_xss_protection.rb
index 27a99c02..5be385de 100644
--- a/lib/secure_headers/headers/x_xss_protection.rb
+++ b/lib/secure_headers/headers/x_xss_protection.rb
@@ -3,7 +3,7 @@ module SecureHeaders
   class XXssProtectionConfigError < StandardError; end
   class XXssProtection
     HEADER_NAME = "X-XSS-Protection".freeze
-    DEFAULT_VALUE = "1; mode=block"
+    DEFAULT_VALUE = "0".freeze
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
     class << self