diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index bff6fa785f..15928867a0 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -67,6 +67,10 @@ Changed
 
   Contributed by @cognifloyd
 
+* Changed the `X-XSS-Protection` HTTP header from `1; mode=block` to `0` in the `conf/nginx/st2.conf` to align with the OWASP security standards. #5298
+
+  Contributed by @LiamRiddell
+
 3.7.0 - May 05, 2022
 --------------------
 
diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 41f8bcf6a3..fc2243068a 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -49,7 +49,7 @@ server {
   add_header              X-Content-Type-Options nosniff;
   add_header              X-Frame-Options DENY always;
   add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
-  add_header              X-XSS-Protection "1; mode=block";
+  add_header              X-XSS-Protection "0";
 
   location @apiError {
     add_header Content-Type application/json always;