In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Mozilla states that no web facing server should send the X-XSS-Protection header, but when enabling the httpHeaderSecurity filter X-XSS-Protection is one of the headers added. It would be better to exclude it.
Given the status and history of that feature I intend to do the following: - change the default for xssProtectionEnabled to false - deprecate the feature in 8.5.x to 10.1.x - remove the feature in 11.0.x
Fixed in: - 11.0.x for 11.0.0-M7 onwards - 10.1.x for 10.1.10 onwards - 9.0.x for 9.0.76 onwards - 8.5.x for 8.5.90 onwards