switches default value for security settings (#25175)

closes #25163

conf/defaults.ini

@@ -202,12 +202,12 @@ strict_transport_security_subdomains = false
 
 # Set to true to enable the X-Content-Type-Options response header.
 # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
-# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3.
-x_content_type_options = false
+# in the Content-Type headers should not be changed and be followed.
+x_content_type_options = true
 
 # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
-# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3.
-x_xss_protection = false
+# when they detect reflected cross-site scripting (XSS) attacks.
+x_xss_protection = true
 
 
 #################################### Snapshots ###########################

conf/sample.ini

@@ -203,12 +203,12 @@
 
 # Set to true to enable the X-Content-Type-Options response header.
 # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
-# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3.
-;x_content_type_options = false
+# in the Content-Type headers should not be changed and be followed.
+;x_content_type_options = true
 
 # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
-# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3.
-;x_xss_protection = false
+# when they detect reflected cross-site scripting (XSS) attacks.
+;x_xss_protection = true
 
 #################################### Snapshots ###########################
 [snapshots]