I agree. The time has come to remove it as it offers little protection, and
it's easy to add back if you have the requirement.
Two more data points: securityheaders.com no longer gives you points for
setting the header, and caniuse.com data (
https://caniuse.com/mdn-http_headers_x-xss-protection
Hi, I think this setting and its functionality could be removed without a
deprecation.
Django's docs says, "Modern browsers don’t honor X-XSS-Protection HTTP
header anymore. Although the setting offers little practical benefit, you
may still want to set the header if you support older