Bug #21797: Remove useless headers
Remove X-XSS-Protection header
- OWASP recommends to turn it off https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#recommendation_1
- It has been removed from all browsers in 2019 anyway
This may give a false sense of security, better remove it.