U.S. Dept Of Defense: X-XSS-Protection -> Misconfiguration

Hi there, URL: https://www.sfl-tap.army.mil/ I have seen that the website is using the X-XSS-Protection Header. But it has a strange configuration. When I take a look at securityheaders, I've seen that you guys use this as configuration. X-XSS-Protection: DENY DENY is used for the X-Frame Option...