Deprecated X-XSS-Protection header in use

X-XSS-Protection is an old browser security header that was designed to block cross-site scripting (XSS) attacks, where malicious code is injected into your pages. Modern browsers no longer support it and it has been retired. Using this deprecated header does nothing to protect modern visitors and can actually introduce new security issues in some browsers. It gives a false sense of security while the real protection — a Content Security Policy — may be missing. Remove the X-XSS-Protection header from your server configuration and replace it with a properly configured Content-Security-Policy header.