Capitalize "X-Xss-Protection:" -> "X-XSS-Protection:"

[jf]

I'm not so sure about the support for the current capitalization now (X-Xss-Protection) in the various browsers; I think it shouldnt be a problem if we trust them to follow the HTTP spec properly (HTTP Header names are case-insensitive)... but it'd still be nice to capitalize it properly to X-XSS-Protection:

1. XSS is an acronym
2. the README uses X-XSS-Protection as well

[unrolled]

Hey! I think I might be missing something here... I just checked the code and it is properly cased: https://github.com/martini-contrib/secure/blob/master/secure.go#L41 Are you seeing this in the code or the output?

[jf]

Thanks, Cory. I'm seeing this in the output. There is no middleware before this, and I am updated to the latest commit (de8e19a)

[unrolled]

Alright, I dug into this a bit more and heres what I found out. Go canonicalizes the header keys automatically for us (whether we like it or not): https://golang.org/src/net/http/header.go#L166

// CanonicalHeaderKey returns the canonical format of the
// header key s.  The canonicalization converts the first
// letter and any letter following a hyphen to upper case;
// the rest are converted to lowercase.  For example, the
// canonical key for "accept-encoding" is "Accept-Encoding".

[jf]

Thanks, Cory! Appreciate you digging into this for me. So what's your verdict on this?

[unrolled]

I don't think we can do anything about this. As long as we use Go's Header().Add() function, it'll change our header keys.