checker: align X-XSS-Protection severities with OWASP

Absent is now OK (OWASP recommends leaving it unset or set to 0), and filtering mode (bare 1 or 1; report=...) is Warn since selective script rewriting can itself introduce XSS. 1; mode=block stays Info.
2026-06-18 10:50:51 +09:00 · 2026-06-18 10:50:51 +09:00 · a652692ba4
commit a652692ba4
parent f4b8941a3d
3 changed files with 8 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -22,7 +22,7 @@ relies on TLS for transport.
 | `http.csp`                    | Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses.                       | WARNING             |
 | `http.x_frame_options`        | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive.                                   | WARNING             |
 | `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff.                                                      | WARNING             |
-| `http.x_xss_protection`       | Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement).   | INFO                |
+| `http.x_xss_protection`       | Reports the legacy X-XSS-Protection header; warns on filtering mode (can introduce XSS), absent/`0` are fine, CSP is the real defense. | WARNING             |
 | `http.referrer_policy`        | Verifies that responses set a Referrer-Policy header with a privacy-preserving value.                             | WARNING             |
 | `http.permissions_policy`     | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …).         | WARNING             |
 | `http.coop`                   | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation.                         | WARNING             |