I am not use of middleware but i go throught cakebook I got the code like this
use Cake\Http\Middleware\SecurityHeadersMiddleware;
$securityHeaders = new SecurityHeadersMiddleware();
$securityHeaders
->setCrossDomainPolicy()
->setReferrerPolicy()
->setXFrameOptions()
->setXssProtection()
->noOpen()
->noSniff();$middlewareQueue->add($securityHeaders);
->setXssProtection(1) is this need to set 1 or not i am not aware the code, try to look your code