diff --git a/h5bp/basic.conf b/h5bp/basic.conf
index 59927ac..faf9afc 100644
--- a/h5bp/basic.conf
+++ b/h5bp/basic.conf
@@ -4,6 +4,5 @@
 include h5bp/security/referrer-policy.conf;
 include h5bp/security/x-content-type-options.conf;
 include h5bp/security/x-frame-options.conf;
-include h5bp/security/x-xss-protection.conf;
 include h5bp/location/security_file_access.conf;
 include h5bp/cross-origin/requests.conf;
diff --git a/h5bp/security/x-xss-protection.conf b/h5bp/security/x-xss-protection.conf
deleted file mode 100644
index df81f49..0000000
--- a/h5bp/security/x-xss-protection.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-# ----------------------------------------------------------------------
-# | Cross-Site Scripting (XSS) Protection                              |
-# ----------------------------------------------------------------------
-
-# Protect website reflected Cross-Site Scripting (XSS) attacks.
-#
-# (1) Try to re-enable the cross-site scripting (XSS) filter built into most
-#     web browsers.
-#
-#     The filter is usually enabled by default, but in some cases, it may be
-#     disabled by the user. However, in Internet Explorer, for example, it can
-#     be re-enabled just by sending the `X-XSS-Protection` header with the
-#     value of `1`.
-#
-# (2) Prevent web browsers from rendering the web page if a potential reflected
-#     (a.k.a non-persistent) XSS attack is detected by the filter.
-#
-#     By default, if the filter is enabled and browsers detect a reflected XSS
-#     attack, they will attempt to block the attack by making the smallest
-#     possible modifications to the returned web page.
-#
-#     Unfortunately, in some browsers (e.g.: Internet Explorer), this default
-#     behavior may allow the XSS filter to be exploited. Therefore, it's better
-#     to inform browsers to prevent the rendering of the page altogether,
-#     instead of attempting to modify it.
-#
-#     https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
-#
-# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are
-#     taking all possible measures to prevent XSS attacks, the most obvious
-#     being: validating and sanitizing your website's inputs.
-#
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
-# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
-# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
-# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
-
-add_header X-XSS-Protection $x_xss_protection always;
diff --git a/nginx.conf b/nginx.conf
index 887d38b..56db890 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -96,13 +96,6 @@ http {
   # Specify file cache expiration.
   include h5bp/web_performance/cache_expiration.conf;
 
-  # Add X-XSS-Protection for HTML documents.
-  # h5bp/security/x-xss-protection.conf
-  map $sent_http_content_type $x_xss_protection {
-    #           (1)    (2)
-    ~*text/html "1; mode=block";
-  }
-
   # Add X-Frame-Options for HTML documents.
   # h5bp/security/x-frame-options.conf
   map $sent_http_content_type $x_frame_options {