Flask+React Guide Questions

Hi, my company is considering using auth0 for authentication in our Flask and React application. However we are not security experts and have some concerns.

We have gone through the Flask + React guide from 02/22 and have found it useful for getting setup. But we are unsure of several things. For a couple examples:

  1. Why is X-XSS-Protection response header set to 0? Doesn’t this disable a cross-site-scripting protection? Why would we want to disable this?

  2. Why is cache disabled?

  3. Why is Talisman setting force_https: False, yet the response header Strict-Transport-Security is added?

We realize not all of these questions directly apply to auth0, but hoping to get some help from the community.