From 9d3cfe067233bceddf0d29e42f0f9987e1be8fa8 Mon Sep 17 00:00:00 2001
From: Akbar Husain <43771058+akbar1214@users.noreply.github.com>
Date: Wed, 19 Feb 2025 13:12:26 +0530
Subject: [PATCH] Remove `X-XSS-Protection` header (#36881)

Closes #21728

Signed-off-by: akbarhusainpatel <apatel@intermiles.com>
---
 .../release_notes/topics/26_2_0.adoc          |  5 ++
 .../e2e/realm_settings_tabs_test.spec.ts      |  4 --
 .../admin/messages/messages_de.properties     |  1 -
 .../admin/messages/messages_es.properties     |  2 -
 .../admin/messages/messages_ja.properties     |  1 -
 .../admin/messages/messages_ka.properties     |  1 -
 .../admin/messages/messages_pl.properties     |  2 -
 .../admin/messages/messages_zh_CN.properties  |  2 -
 .../admin/messages/messages_en.properties     |  2 -
 .../security-defences/HeadersForm.tsx         |  4 --
 .../migration/migrators/MigrateTo26_2_0.java  | 57 +++++++++++++++++++
 .../datastore/DefaultMigrationManager.java    |  2 +
 .../src/test/resources/example-realm.yaml     |  1 -
 .../test-serialization-realmimport-cr.yml     |  1 -
 .../src/test/resources/token-test-realm.yaml  |  1 -
 .../models/BrowserSecurityHeaders.java        |  2 -
 .../models/BrowserSecurityHeadersTest.java    |  2 -
 .../DefaultSecurityHeadersProvider.java       |  2 -
 .../tests/admin/AdminHeadersTest.java         |  1 -
 .../import/import-without-clients.json        |  2 -
 .../import/import-without-roles.json          |  2 -
 .../test/resources/import/partial-import.json |  2 -
 .../import/testrealm-user-null-attr.json      |  2 -
 .../model/acr-values-import-bug.json          |  1 -
 .../testrealm-token-exchange-v2.json          |  1 -
 25 files changed, 64 insertions(+), 39 deletions(-)
 create mode 100644 model/storage-private/src/main/java/org/keycloak/migration/migrators/MigrateTo26_2_0.java

diff --git a/docs/documentation/release_notes/topics/26_2_0.adoc b/docs/documentation/release_notes/topics/26_2_0.adoc
index cee478c35e3..4c1bce4b74b 100644
--- a/docs/documentation/release_notes/topics/26_2_0.adoc
+++ b/docs/documentation/release_notes/topics/26_2_0.adoc
@@ -58,3 +58,8 @@ link:{grafanadashboards_link}[The guide] contains two dashboards.
 * Keycloak troubleshooting dashboard - showing metrics related to service level indicators and troubleshooting.
 * Keycloak capacity planning dashboard - showing metrics related to estimating the load handled by Keycloak.
 
+= Removal of the `X-XSS-Protection` header
+
+Because the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection[`X-XSS-Protection` header] is no longer supported by any user agents that are supported by Keycloak, it has been removed. This header was a feature of Internet Explorer, Chrome, and Safari that stopped pages from loading when they detected reflected cross-site scripting (XSS) attacks.
+
+We don't expect that this will impact any deployments due to the lack of support in user agents, as well as this feature being supplanted by https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[Content Security Policy (CSP)].
diff --git a/js/apps/admin-ui/cypress/e2e/realm_settings_tabs_test.spec.ts b/js/apps/admin-ui/cypress/e2e/realm_settings_tabs_test.spec.ts
index 01b43c147bd..996fac077e8 100644
--- a/js/apps/admin-ui/cypress/e2e/realm_settings_tabs_test.spec.ts
+++ b/js/apps/admin-ui/cypress/e2e/realm_settings_tabs_test.spec.ts
@@ -165,10 +165,6 @@ describe("Realm settings tabs tests", () => {
       );
       cy.findByTestId("browserSecurityHeaders.xRobotsTag").clear();
       cy.findByTestId("browserSecurityHeaders.xRobotsTag").type("none");
-      cy.findByTestId("browserSecurityHeaders.xXSSProtection").clear();
-      cy.findByTestId("browserSecurityHeaders.xXSSProtection").type(
-        "1; mode=block",
-      );
       cy.findByTestId("browserSecurityHeaders.strictTransportSecurity").clear();
       cy.findByTestId("browserSecurityHeaders.strictTransportSecurity").type(
         "max-age=31537000",
diff --git a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_de.properties b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_de.properties
index 074d52563f6..f6d0c56e542 100644
--- a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_de.properties
+++ b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_de.properties
@@ -473,7 +473,6 @@ contentSecurityPolicyHelp=Der Standardwert verhindert, dass Seiten von iframes,
 contentSecurityPolicyReportOnlyHelp=Zum Testen von Content Security Policies <1>Mehr erfahren</1>
 xContentTypeOptionsHelp=Der Standardwert verhindert, dass Internet Explorer und Google Chrome eine Antwort abseits des deklarierten Content-Types <1>Erfahren Sie mehr</1> MIME-sniffing
 xRobotsTagHelp=Verhindern, dass Seiten in Suchmaschinen auftauchen <1>Mehr erfahren</1>
-xXSSProtectionHelp=Dieser Header konfiguriert den Cross-Site-Scripting-Filter (XSS) in Ihrem Browser. Mit dem Standardverhalten verhindert der Browser das Rendern der Seite, wenn ein XSS-Angriff erkannt wird. <1>Mehr erfahren</1>
 strictTransportSecurityHelp=Der HTTP-Header Strict-Transport-Security weist die Browser an, immer HTTPS zu verwenden. Sobald ein Browser diesen Header sieht, wird er die Website nur noch über HTTPS für die angegebene Zeit (1 Jahr) bei max-age besuchen, einschließlich der Subdomains. <1>Mehr erfahren</1>
 refreshTokenMaxReuse=Refresh-Token maximale Wiederverwendung
 refreshTokenMaxReuseHelp=Maximale Anzahl der Wiederverwendung eines Refresh-Tokens. Wenn ein anderes Token verwendet wird, erfolgt der Widerruf sofort.
diff --git a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_es.properties b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_es.properties
index 72570170517..424e8eba315 100644
--- a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_es.properties
+++ b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_es.properties
@@ -2031,7 +2031,6 @@ targetClaim=Atributo de destino
 assignRole=Asignar rol
 accessSettings=Configuraciones de acceso
 updateFlowSuccess=Flujo actualizado con éxito
-xXSSProtectionHelp=Este encabezado configura el filtro contra scripting entre sitios (XSS) en tu navegador. Utilizando el comportamiento predeterminado, el navegador evitará la representación de la página cuando detecte un ataque XSS. <1>Más información</1>
 authenticatedAccessPolicies=Políticas de acceso autenticado
 addExecutor=Agregar ejecutor
 selectIfResourceExists=Si un recurso ya existe, especifica qué se debe hacer
@@ -2177,7 +2176,6 @@ rootURLHelp=URL raíz añadida a URLs relativas
 anonymousAccessPolicies=Políticas de acceso anónimo
 createResourceBasedPermission=Crear permiso basado en recurso
 searchForRole=Buscar rol
-xXSSProtection=Protección X-XSS
 debugHelp=Habilitar/deshabilitar el registro de depuración en la salida estándar para Krb5LoginModule.
 validatorColNames.colConfig=Configuración
 createClient=Crear cliente
diff --git a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ja.properties b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ja.properties
index 06ef5d14f3d..530ec271d2e 100644
--- a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ja.properties
+++ b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ja.properties
@@ -410,7 +410,6 @@ otpTypeHelp=「totp」はタイムベースのワンタイム・パスワード
 keyForCodeExchange=Proof Key for Code Exchangeのコードチャレンジ方式
 endpointsHelp=プロトコル・エンドポイントの設定を表示します。
 useKerberosForPasswordAuthentication=パスワード認証にKerberosを使用
-xXSSProtection=X-XSS-Protection
 debugHelp=Krb5LoginModuleの標準出力へのデバッグロギングの有効/無効を設定します。
 validatorColNames.colConfig=設定
 nodeHost=ノードホスト
diff --git a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ka.properties b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ka.properties
index e8f02dfc99d..c66b8802b4a 100644
--- a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ka.properties
+++ b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_ka.properties
@@ -321,7 +321,6 @@ target=სამიზნე
 browse=პოვნა
 mappers=ამსახველები
 user=მომხმარებელი
-xXSSProtection=X-XSS-Protection
 Thursday=ხუთშაბათი
 annotations=ანოტაციები
 ms=მილიწამი
diff --git a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_pl.properties b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_pl.properties
index b27e193de26..6cf6d63e1c1 100644
--- a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_pl.properties
+++ b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_pl.properties
@@ -2133,7 +2133,6 @@ targetClaim=Roszczenie docelowe
 assignRole=Przypisz rolę
 accessSettings=Ustawienia dostępu
 updateFlowSuccess=Zaktualizowano przepływ pomyślnie
-xXSSProtectionHelp=Ten nagłówek konfiguruje filtr przeciwdziałania atakom typu Cross-Site Scripting (XSS) w przeglądarce. Korzystając z zachowania domyślnego, przeglądarka będzie zapobiegać renderowaniu strony, gdy zostanie wykryty atak XSS. <1>Dowiedz się więcej</1>
 authenticatedAccessPolicies=Polityki dostępu uwierzytelnionego
 addExecutor=Dodaj wykonawcę
 selectIfResourceExists=Jeśli zasób już istnieje, określ, co należy zrobić
@@ -2279,7 +2278,6 @@ rootURLHelp=Adres URL główny dołączany do adresów URL względnych
 anonymousAccessPolicies=Polityki dostępu anonimowego
 createResourceBasedPermission=Utwórz uprawnienia oparte na zasobach
 searchForRole=Wyszukaj rolę
-xXSSProtection=X-XSS-Protection
 debugHelp=Włącz / wyłącz debugowanie do standardowego wyjścia dla Krb5LoginModule.
 validatorColNames.colConfig=Konfiguracja
 createClient=Utwórz klienta
diff --git a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_zh_CN.properties b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_zh_CN.properties
index f7283a5a87f..75a588acb92 100644
--- a/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_zh_CN.properties
+++ b/js/apps/admin-ui/maven-resources-community/theme/keycloak.v2/admin/messages/messages_zh_CN.properties
@@ -2011,7 +2011,6 @@ targetClaim=目标声明
 assignRole=分配角色
 accessSettings=访问设置
 updateFlowSuccess=流程更新成功
-xXSSProtectionHelp=此标头在您的浏览器中配置跨站点脚本 (XSS) 过滤器。使用默认行为，浏览器将在检测到 XSS 攻击时阻止呈现页面。<1>了解更多</1>
 authenticatedAccessPolicies=经过身份验证的访问策略
 addExecutor=添加执行器
 selectIfResourceExists=如果资源已存在，请指定应采取的操作
@@ -2150,7 +2149,6 @@ client-scopes-condition.tooltip=预期的客户端范围列表。如果指定的
 anonymousAccessPolicies=匿名访问策略
 createResourceBasedPermission=创建基于资源的权限
 searchForRole=搜索角色
-xXSSProtection=X-XSS-保护
 debugHelp=为 Krb5LoginModule 启用/禁用调试日志记录到标准输出。
 validatorColNames.colConfig=设置
 createClient=创建客户端
diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
index ac17e84d2e1..c132c804c61 100644
--- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
+++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@@ -2134,7 +2134,6 @@ targetClaim=Target claim
 assignRole=Assign role
 accessSettings=Access settings
 updateFlowSuccess=Flow successfully updated
-xXSSProtectionHelp=This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more</1>
 authenticatedAccessPolicies=Authenticated access polices
 addExecutor=Add executor
 selectIfResourceExists=If a resource already exists, specify what should be done
@@ -2280,7 +2279,6 @@ rootURLHelp=Root URL appended to relative URLs
 anonymousAccessPolicies=Anonymous access polices
 createResourceBasedPermission=Create resource-based permission
 searchForRole=Search role
-xXSSProtection=X-XSS-Protection
 debugHelp=Enable/disable debug logging to standard output for Krb5LoginModule.
 validatorColNames.colConfig=Config
 createClient=Create client
diff --git a/js/apps/admin-ui/src/realm-settings/security-defences/HeadersForm.tsx b/js/apps/admin-ui/src/realm-settings/security-defences/HeadersForm.tsx
index e9c8f397514..0fc4d0c999b 100644
--- a/js/apps/admin-ui/src/realm-settings/security-defences/HeadersForm.tsx
+++ b/js/apps/admin-ui/src/realm-settings/security-defences/HeadersForm.tsx
@@ -48,10 +48,6 @@ export const HeadersForm = ({ realm, save }: HeadersFormProps) => {
         fieldName="browserSecurityHeaders.xRobotsTag"
         url="https://developers.google.com/search/docs/advanced/robots/robots_meta_tag"
       />
-      <HelpLinkTextInput
-        fieldName="browserSecurityHeaders.xXSSProtection"
-        url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"
-      />
       <HelpLinkTextInput
         fieldName="browserSecurityHeaders.strictTransportSecurity"
         url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"
diff --git a/model/storage-private/src/main/java/org/keycloak/migration/migrators/MigrateTo26_2_0.java b/model/storage-private/src/main/java/org/keycloak/migration/migrators/MigrateTo26_2_0.java
new file mode 100644
index 00000000000..87a762b4b82
--- /dev/null
+++ b/model/storage-private/src/main/java/org/keycloak/migration/migrators/MigrateTo26_2_0.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2025 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.migration.migrators;
+
+import org.jboss.logging.Logger;
+import org.keycloak.migration.ModelVersion;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.representations.idm.RealmRepresentation;
+
+import java.lang.invoke.MethodHandles;
+import java.util.Collections;
+import java.util.HashMap;
+
+public class MigrateTo26_2_0 implements Migration {
+
+    public static final ModelVersion VERSION = new ModelVersion("26.2.0");
+
+    private static final Logger LOG = Logger.getLogger(MethodHandles.lookup().lookupClass());
+
+    @Override
+    public ModelVersion getVersion() {
+        return VERSION;
+    }
+
+    @Override
+    public void migrate(KeycloakSession session) {
+        session.realms().getRealmsStream().forEach(this::migrateRealm);
+    }
+
+    @Override
+    public void migrateImport(KeycloakSession session, RealmModel realm, RealmRepresentation rep, boolean skipUserDependent) {
+        migrateRealm(realm);
+    }
+
+    private void migrateRealm(RealmModel realm) {
+        // Removes _browser_header.xXSSProtection attribute
+        var headers = new HashMap<>(realm.getBrowserSecurityHeaders());
+        headers.remove("xXSSProtection");
+        realm.setBrowserSecurityHeaders(Collections.unmodifiableMap(headers));
+    }
+}
diff --git a/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultMigrationManager.java b/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultMigrationManager.java
index 5aef959966c..5792aa992fb 100644
--- a/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultMigrationManager.java
+++ b/model/storage-private/src/main/java/org/keycloak/storage/datastore/DefaultMigrationManager.java
@@ -42,6 +42,7 @@ import org.keycloak.migration.migrators.MigrateTo24_0_3;
 import org.keycloak.migration.migrators.MigrateTo25_0_0;
 import org.keycloak.migration.migrators.MigrateTo26_0_0;
 import org.keycloak.migration.migrators.MigrateTo26_1_0;
+import org.keycloak.migration.migrators.MigrateTo26_2_0;
 import org.keycloak.migration.migrators.MigrateTo2_0_0;
 import org.keycloak.migration.migrators.MigrateTo2_1_0;
 import org.keycloak.migration.migrators.MigrateTo2_2_0;
@@ -123,6 +124,7 @@ public class DefaultMigrationManager implements MigrationManager {
             new MigrateTo25_0_0(),
             new MigrateTo26_0_0(),
             new MigrateTo26_1_0(),
+            new MigrateTo26_2_0(),
     };
 
     private final KeycloakSession session;
diff --git a/operator/src/test/resources/example-realm.yaml b/operator/src/test/resources/example-realm.yaml
index 98ca6c9042c..f720d79426f 100644
--- a/operator/src/test/resources/example-realm.yaml
+++ b/operator/src/test/resources/example-realm.yaml
@@ -1193,7 +1193,6 @@ spec:
       xRobotsTag: none
       xFrameOptions: SAMEORIGIN
       contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
-      xXSSProtection: 1; mode=block
       strictTransportSecurity: max-age=31536000; includeSubDomains
     smtpServer: {}
     eventsEnabled: false
diff --git a/operator/src/test/resources/test-serialization-realmimport-cr.yml b/operator/src/test/resources/test-serialization-realmimport-cr.yml
index f71d6d44aa3..d9adcdcab25 100644
--- a/operator/src/test/resources/test-serialization-realmimport-cr.yml
+++ b/operator/src/test/resources/test-serialization-realmimport-cr.yml
@@ -1074,7 +1074,6 @@ spec:
       xRobotsTag: none
       xFrameOptions: SAMEORIGIN
       contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
-      xXSSProtection: 1; mode=block
       strictTransportSecurity: max-age=31536000; includeSubDomains
     smtpServer: {}
     eventsEnabled: false
diff --git a/operator/src/test/resources/token-test-realm.yaml b/operator/src/test/resources/token-test-realm.yaml
index 32e11e15e13..1be4607789d 100644
--- a/operator/src/test/resources/token-test-realm.yaml
+++ b/operator/src/test/resources/token-test-realm.yaml
@@ -1070,7 +1070,6 @@ spec:
       xRobotsTag: none
       xFrameOptions: SAMEORIGIN
       contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
-      xXSSProtection: 1; mode=block
       strictTransportSecurity: max-age=31536000; includeSubDomains
     smtpServer: {}
     eventsEnabled: false
diff --git a/server-spi-private/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java b/server-spi-private/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java
index d39eb9dacfb..05858e21df3 100644
--- a/server-spi-private/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/BrowserSecurityHeaders.java
@@ -28,7 +28,6 @@ public enum BrowserSecurityHeaders {
     CONTENT_SECURITY_POLICY_REPORT_ONLY("contentSecurityPolicyReportOnly", "Content-Security-Policy-Report-Only", ""),
     X_CONTENT_TYPE_OPTIONS("xContentTypeOptions", "X-Content-Type-Options", "nosniff"),
     X_ROBOTS_TAG("xRobotsTag", "X-Robots-Tag", "none"),
-    X_XSS_PROTECTION("xXSSProtection", "X-XSS-Protection", "1; mode=block"),
     STRICT_TRANSPORT_SECURITY("strictTransportSecurity", "Strict-Transport-Security", "max-age=31536000; includeSubDomains"),
     REFERRER_POLICY("referrerPolicy", "Referrer-Policy", "no-referrer");
 
@@ -65,7 +64,6 @@ public enum BrowserSecurityHeaders {
         dh.put(CONTENT_SECURITY_POLICY_REPORT_ONLY.getKey(), CONTENT_SECURITY_POLICY_REPORT_ONLY.getDefaultValue());
         dh.put(X_CONTENT_TYPE_OPTIONS.getKey(), X_CONTENT_TYPE_OPTIONS.getDefaultValue());
         dh.put(X_ROBOTS_TAG.getKey(), X_ROBOTS_TAG.getDefaultValue());
-        dh.put(X_XSS_PROTECTION.getKey(), X_XSS_PROTECTION.getDefaultValue());
         dh.put(STRICT_TRANSPORT_SECURITY.getKey(), STRICT_TRANSPORT_SECURITY.getDefaultValue());
         dh.put(REFERRER_POLICY.getKey(), REFERRER_POLICY.getDefaultValue());
 
diff --git a/server-spi-private/src/test/java/org/keycloak/models/BrowserSecurityHeadersTest.java b/server-spi-private/src/test/java/org/keycloak/models/BrowserSecurityHeadersTest.java
index cb88f12d028..a6948c7ae69 100644
--- a/server-spi-private/src/test/java/org/keycloak/models/BrowserSecurityHeadersTest.java
+++ b/server-spi-private/src/test/java/org/keycloak/models/BrowserSecurityHeadersTest.java
@@ -10,7 +10,6 @@ import static org.keycloak.models.BrowserSecurityHeaders.STRICT_TRANSPORT_SECURI
 import static org.keycloak.models.BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS;
 import static org.keycloak.models.BrowserSecurityHeaders.X_FRAME_OPTIONS;
 import static org.keycloak.models.BrowserSecurityHeaders.X_ROBOTS_TAG;
-import static org.keycloak.models.BrowserSecurityHeaders.X_XSS_PROTECTION;
 import static org.keycloak.models.BrowserSecurityHeaders.realmDefaultHeaders;
 
 import java.util.Arrays;
@@ -52,7 +51,6 @@ public class BrowserSecurityHeadersTest {
                 CONTENT_SECURITY_POLICY_REPORT_ONLY,
                 X_CONTENT_TYPE_OPTIONS,
                 X_ROBOTS_TAG,
-                X_XSS_PROTECTION,
                 STRICT_TRANSPORT_SECURITY,
                 REFERRER_POLICY
         );
diff --git a/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java b/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java
index 38544643568..0a67d3f5772 100644
--- a/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java
+++ b/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java
@@ -87,7 +87,6 @@ public class DefaultSecurityHeadersProvider implements SecurityHeadersProvider {
     private void addGenericHeaders(MultivaluedMap<String, Object> headers) {
         addHeader(BrowserSecurityHeaders.STRICT_TRANSPORT_SECURITY, headers);
         addHeader(BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS, headers);
-        addHeader(BrowserSecurityHeaders.X_XSS_PROTECTION, headers);
         addHeader(BrowserSecurityHeaders.REFERRER_POLICY, headers);
     }
 
@@ -95,7 +94,6 @@ public class DefaultSecurityHeadersProvider implements SecurityHeadersProvider {
         addHeader(BrowserSecurityHeaders.STRICT_TRANSPORT_SECURITY, headers);
         addHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS, headers);
         addHeader(BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS, headers);
-        addHeader(BrowserSecurityHeaders.X_XSS_PROTECTION, headers);
         addHeader(BrowserSecurityHeaders.REFERRER_POLICY, headers);
     }
 
diff --git a/tests/base/src/test/java/org/keycloak/tests/admin/AdminHeadersTest.java b/tests/base/src/test/java/org/keycloak/tests/admin/AdminHeadersTest.java
index ec0e32dd9cb..b2863b7488c 100644
--- a/tests/base/src/test/java/org/keycloak/tests/admin/AdminHeadersTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/admin/AdminHeadersTest.java
@@ -29,7 +29,6 @@ public class AdminHeadersTest {
         assertDefaultValue(BrowserSecurityHeaders.STRICT_TRANSPORT_SECURITY, h);
         assertDefaultValue(BrowserSecurityHeaders.X_FRAME_OPTIONS, h);
         assertDefaultValue(BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS, h);
-        assertDefaultValue(BrowserSecurityHeaders.X_XSS_PROTECTION, h);
         assertDefaultValue(BrowserSecurityHeaders.REFERRER_POLICY, h);
 
         response.close();
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-clients.json b/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-clients.json
index 1c18e348ef2..7cad7b75f7d 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-clients.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-clients.json
@@ -76,7 +76,6 @@
     "xContentTypeOptions": "nosniff",
     "xRobotsTag": "none",
     "xFrameOptions": "SAMEORIGIN",
-    "xXSSProtection": "1; mode=block",
     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
     "strictTransportSecurity": "max-age=31536000; includeSubDomains"
   },
@@ -639,7 +638,6 @@
   "clientAuthenticationFlow": "clients",
   "dockerAuthenticationFlow": "docker auth",
   "attributes": {
-    "_browser_header.xXSSProtection": "1; mode=block",
     "_browser_header.xFrameOptions": "SAMEORIGIN",
     "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains",
     "permanentLockout": "false",
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-roles.json b/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-roles.json
index 5f0c80091eb..cf68c2013d8 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-roles.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/import/import-without-roles.json
@@ -672,7 +672,6 @@
     "xContentTypeOptions": "nosniff",
     "xRobotsTag": "none",
     "xFrameOptions": "SAMEORIGIN",
-    "xXSSProtection": "1; mode=block",
     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
     "strictTransportSecurity": "max-age=31536000; includeSubDomains"
   },
@@ -1235,7 +1234,6 @@
   "clientAuthenticationFlow": "clients",
   "dockerAuthenticationFlow": "docker auth",
   "attributes": {
-    "_browser_header.xXSSProtection": "1; mode=block",
     "_browser_header.xFrameOptions": "SAMEORIGIN",
     "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains",
     "permanentLockout": "false",
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/import/partial-import.json b/testsuite/integration-arquillian/tests/base/src/test/resources/import/partial-import.json
index 06e30baeedd..5b8a26ff528 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/import/partial-import.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/import/partial-import.json
@@ -53,7 +53,6 @@
     "xContentTypeOptions": "nosniff",
     "xRobotsTag": "none",
     "xFrameOptions": "SAMEORIGIN",
-    "xXSSProtection": "1; mode=block",
     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
     "strictTransportSecurity": "max-age=31536000; includeSubDomains"
   },
@@ -616,7 +615,6 @@
   "clientAuthenticationFlow": "clients",
   "dockerAuthenticationFlow": "docker auth",
   "attributes": {
-    "_browser_header.xXSSProtection": "1; mode=block",
     "_browser_header.xFrameOptions": "SAMEORIGIN",
     "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains",
     "permanentLockout": "false",
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/import/testrealm-user-null-attr.json b/testsuite/integration-arquillian/tests/base/src/test/resources/import/testrealm-user-null-attr.json
index ba1a0ba7cbe..f48c80f15c1 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/import/testrealm-user-null-attr.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/import/testrealm-user-null-attr.json
@@ -961,7 +961,6 @@
     "xRobotsTag" : "none",
     "xFrameOptions" : "SAMEORIGIN",
     "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
-    "xXSSProtection" : "1; mode=block",
     "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
   },
   "smtpServer" : { },
@@ -1594,7 +1593,6 @@
     "_browser_header.contentSecurityPolicyReportOnly" : "",
     "bruteForceProtected" : "false",
     "_browser_header.contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
-    "_browser_header.xXSSProtection" : "1; mode=block",
     "_browser_header.xFrameOptions" : "SAMEORIGIN",
     "_browser_header.strictTransportSecurity" : "max-age=31536000; includeSubDomains",
     "webAuthnPolicyUserVerificationRequirement" : "not specified",
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/model/acr-values-import-bug.json b/testsuite/integration-arquillian/tests/base/src/test/resources/model/acr-values-import-bug.json
index 0659534ea8c..7801b36ba4e 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/model/acr-values-import-bug.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/model/acr-values-import-bug.json
@@ -1561,7 +1561,6 @@
     "xRobotsTag": "none",
     "xFrameOptions": "SAMEORIGIN",
     "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
-    "xXSSProtection": "1; mode=block",
     "strictTransportSecurity": "max-age=31536000; includeSubDomains"
   },
   "smtpServer": {},
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json b/testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json
index 0e95442d1fc..15067eafbb4 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/token-exchange/testrealm-token-exchange-v2.json
@@ -2151,7 +2151,6 @@
     "xRobotsTag" : "none",
     "xFrameOptions" : "SAMEORIGIN",
     "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
-    "xXSSProtection" : "1; mode=block",
     "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
   },
   "smtpServer" : { },