Description of subType of the issue:
X-XSS-Protection: 0
This behavior does not in itself constitute a vulnerability; in some cases XSS filters may themselves be leveraged to perform attacks against application users. However, in typical situations XSS filters do provide basic protection for application users against some XSS vulnerabilities in applications. The presence of this header should be reviewed to establish whether it affects the application's security posture.
Issue remediation
Review whether the application needs to disable XSS filters. In most cases you can gain the protection provided by XSS filters without the associated risks by using the following response header:
X-XSS-Protection: 1; mode=block
When this header is set, browsers that detect an XSS attack will simply render a blank page instead of attempting to sanitize the injected script. This behavior is considerably less likely to introduce new security issues.
The X-XSS-Protection header isn't really needed.
It isn't even implemented in firefox.
It can be quite helpful with old browsers, but is pretty much useless since such things should be handled with CSP.
I can't verify this since a permission from the owner is required to test anything which is related to injecting scripts/commands.