Version 6 and below of secure_headers set the X-Xss-Protection to 1; mode=block by default. This was done to protect against reflected XSS attacks. However, this header is no longer recommended (see #439 for more information).
If any functionality in your app depended on this header being set to the previous value, you will need to set it explicitly in your configuration.
# config/initializers/secure_headers.rb
SecureHeaders::Configuration.default do |config|
config.x_xss_protection = "1; mode=block"
end