From 23aeb33eb7111b5f7d02a1cfad65fbe0c1a2cbe5 Mon Sep 17 00:00:00 2001
From: Olufunke Moronfolu <olufunke.moronfolu@mendix.com>
Date: Mon, 8 Jun 2026 12:09:14 +0200
Subject: [PATCH] Add warning for X-XSS-Protection header deprecation

---
 .../docs/deployment/mendix-cloud-deploy/environments-details.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md b/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md
index 6c8d2b0cd20..e90a5d8f2d4 100644
--- a/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md
+++ b/content/en/docs/deployment/mendix-cloud-deploy/environments-details.md
@@ -255,7 +255,7 @@ Mendix Cloud supports the following HTTP headers in the Mendix Portal:
 | `X-Content-Type-Options`      | Indicates that the MIME types advertised in the Content-Type headers should not be changed and be followed. |
 | `X-Frame-Options`             | Indicates whether or not a browser should be allowed to render a page in a `<frame>`, `<iframe>`, `<embed>`, or `<object>`. The default is not to allow apps to be rendered inside frames. This was the value set previously to prevent embedding in an iframe.<br/>For details on running your app inside an iframe, see [Running Your App in an Iframe](#iframe), below. |
 | `X-Permitted-Cross-Domain-Policies` | Specifies whether the page can load resources from a different domain. |
-| `X-XSS-Protection`            | Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. |
+| `X-XSS-Protection`            | Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.<br/>{{% alert color="warning" %}}This header is [deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection) and not recommended for new implementations.{{% /alert %}} |
 
 There are three types of values for these headers: