diff --git a/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPWebAppListener.java b/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPWebAppListener.java
index 0c9b40708..1b6d0349d 100644
--- a/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPWebAppListener.java
+++ b/phoss-smp-webapp/src/main/java/com/helger/phoss/smp/servlet/SMPWebAppListener.java
@@ -213,6 +213,11 @@ protected void initGlobalSettings ()
       // Peppol SMP is always http only
       UnifiedResponseDefaultSettings.removeStrictTransportSecurity ();
     }
+    // Instead of the service using the X-XSS-Protection header, a better way to
+    // protect against XSS attacks is final to define a final strong
+    // Content-Security-Policy header final that prevents the final execution of
+    // embedded final JavaScript code.
+    UnifiedResponseDefaultSettings.setEnableXSSFilter (false);
 
     // Avoid writing unnecessary stuff
     setHandleStatisticsOnEnd (SMPWebAppConfiguration.isPersistStatisticsOnEnd ());