Content-Security-Policy (current) or X-XSS-Protection (outdated) headers are not set by default after installing Qlik Sense Enterprise on Windows.
While potentially great for improving site security, Qlik has no authority over the environment Qlik Sense is deployed in. If the specific custom header or other headers are deemed necessary, they can be added to the virtual proxy from the Qlik Sense Enterprise Management panel. See Qlik Sense for Administrators: Virtual Proxies.
Related Content
Qlik Sense Enterprise on Windows: Securing and Hardening Server