In the Admin Overview security check section, I get the header warning:
The “X-XSS-Protection” HTTP header does not contain “1; mode=block”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
My X-XSS-Protection header is set to 0 (disable).
According to hardenize.com:
"Some browsers ship with so-called XSS Auditors, built-in defenses against XSS. Although these defenses work against simple reflective XSS attacks, they can be abused by skillful attackers to add weaknesses to otherwise secure web sites. These dangers are present in both filtering and blocking modes. At this time, the Safari browser ships with its XSS defenses enabled by default. For this reason, the best approach is to explicitly disable this functionality "
Can/should Nextcloud either change the advice to disable or permit block or disable?