fix: remove obsolete X-XSS-Protection header

the `X-XSS-Protection` is a legacy, non-standard and deprecated header
for older web browsers that don't yet support CSP (Content-Security-Policy) header.

but it is deprecated and no longer considered an effective defense mechanism.

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
- https://crashtest-security.com/x-xss-protection-retired/

Author: joseluisq

src/security_headers.rs

@@ -8,7 +8,6 @@
 
 use http::header::{
     CONTENT_SECURITY_POLICY, STRICT_TRANSPORT_SECURITY, X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
-    X_XSS_PROTECTION,
 };
 use hyper::{Body, Response};
 
@@ -27,10 +26,6 @@ pub fn append_headers(resp: &mut Response<Body>) {
     resp.headers_mut()
         .insert(X_FRAME_OPTIONS, "DENY".parse().unwrap());
 
-    // X-XSS-Protection
-    resp.headers_mut()
-        .insert(X_XSS_PROTECTION, "1; mode=block".parse().unwrap());
-
     // X-Content-Type-Options
     resp.headers_mut()
         .insert(X_CONTENT_TYPE_OPTIONS, "nosniff".parse().unwrap());