diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf
index 6679cf0..6d56ca6 100644
--- a/nginx/snippets/security-headers.conf
+++ b/nginx/snippets/security-headers.conf
@@ -7,5 +7,5 @@ add_header Cross-Origin-Embedder-Policy "require-corp" always;
 # obsolete when client system time is correct
 add_header Expect-CT "enforce, max-age=63072000" always;
 
-# obsolete and replaced with strong Content-Security-Policy
-add_header X-XSS-Protection "1; mode=block" always;
+# obsolete, unsafe and replaced with strong Content-Security-Policy
+add_header X-XSS-Protection "0" always;