XSS attacks attempt to inject JavaScript code into website output. With malicious code injected into another website, the attacker can access information they otherwise could not retrieve. The X-XSS-Protection header prevents certain XSS attacks, but not all of them.
app.use(helmet.xssFilter());