Update default X-XSS-Protection value to 0 (#479)

This PR updates the default value of the `X-XSS-Protection` header to 0.
There's further discussion here about the reasons for this:
https://github.com/github/secure_headers/issues/439.

## All PRs:

* [x] Has tests
* [x] Documentation updated

Closes https://github.com/github/secure_headers/issues/439

README.md

@@ -105,7 +105,7 @@ X-Content-Type-Options: nosniff
 X-Download-Options: noopen
 X-Frame-Options: sameorigin
 X-Permitted-Cross-Domain-Policies: none
-X-Xss-Protection: 1; mode=block
+X-Xss-Protection: 0
 ```
 
 ## API configurations

lib/secure_headers/headers/x_xss_protection.rb

@@ -3,7 +3,7 @@ module SecureHeaders
   class XXssProtectionConfigError < StandardError; end
   class XXssProtection
     HEADER_NAME = "X-XSS-Protection".freeze
-    DEFAULT_VALUE = "1; mode=block"
+    DEFAULT_VALUE = "0".freeze
     VALID_X_XSS_HEADER = /\A[01](; mode=block)?(; report=.*)?\z/
 
     class << self