Quick reminder that you should turn off legacy XSS protection. They rely on old insecure code and it's considered best practice to disable it; in fact it's been phased out by Chromium/Firefox, only Safari/IE still support it.
You should set it to "0". Many websites and guides still recommend to set it to "1; mode=block".
Just a single-user instance, nothing fancy here. I won't bite, I promise.