Created attachment 33349 [details] The patch that implements this feature. The Tomcat's HttpHeaderSecurityFilter allows to set useful security related headers but it doesn't support the X-XSS-Protection header: https://www.owasp.org/index.php/List_of_useful_HTTP_headers The attached patch enhance the filter to support this header.
Some documentation would be nice: webapps/docs/config/filter.xml
Created attachment 33379 [details] Updated patch with filter's documentation
Patch applied to 9.0.x for 9.0.0.M2 onwards, 8.0.x for 8.0.31 onwards and 7.0.x for 7.0.68 onwards. Thanks for the patch.
see also Bug 59754