docs(admin): add critical changes for Nextcloud 32

with a note about the dropped X-XSS-Protection header check

Signed-off-by: MichaIng <[email protected]>

Author: MichaIng

admin_manual/release_notes/index.rst

@@ -14,6 +14,7 @@ These sub pages will cover the most important changes in Nextcloud, as well as s
 .. toctree::
    :maxdepth: 1
 
+   upgrade_to_32.rst
    upgrade_to_31.rst
    upgrade_to_30.rst
    upgrade_to_28.rst

admin_manual/release_notes/upgrade_to_32.rst

@@ -0,0 +1,16 @@
+=======================
+Upgrade to Nextcloud 32
+=======================
+
+System requirements
+-------------------
+
+* PHP 8.1 is now deprecated but still supported.
+* PHP 8.4 is now supported, but 8.3 is recommended.
+
+Web server configuration
+------------------------
+
+* Setup checks do not check for the ``X-XSS-Protection`` response header anymore. It has been removed from Nextcloud's ``.htaccess`` and you may want to adjust your webserver config to not serve it anymore.
+  XSS filtering was supported only until Chromium 78 and similarly old browsers, but had been found to cause more issues, including attack vectors, than it solves.
+  Nowadays, aside of not serving the header at all, the only generally recommended value is ``0``. More context can be found in the `OWASP Cheat Sheet Series <https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection>`_.