As per X-XSS-Protection:

These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

To align with standard security practice, request to remove this header.

This header was introduced as part of the following suggestion request: https://jira.atlassian.com/browse/JRASERVER-25145