diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md
index 69dd28e093cc1..6d2ea99025098 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/README.md
+++ b/packages/aws-cdk-lib/aws-cloudfront/README.md
@@ -308,6 +308,9 @@ You can configure CloudFront to add one or more HTTP headers to the responses th
 To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy.
 See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html
 
+> [!NOTE]
+> If xssProtection `reportUri` is specified, then `modeBlock` cannot be set to `true`.
+
 ```ts
 // Using an existing managed response headers policy
 declare const bucketOrigin: origins.S3Origin;
@@ -343,7 +346,7 @@ const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'Resp
     frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
     referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
     strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
-    xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
+    xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true },
   },
   removeHeaders: ['Server'],
   serverTimingSamplingRate: 50,
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts
index 2950ec5373dea..44299554f07ac 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts
@@ -62,7 +62,7 @@ describe('ResponseHeadersPolicy', () => {
         frameOptions: { frameOption: HeadersFrameOption.DENY, override: true },
         referrerPolicy: { referrerPolicy: HeadersReferrerPolicy.NO_REFERRER, override: true },
         strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
-        xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
+        xssProtection: { protection: true, modeBlock: false, reportUri: 'https://example.com/csp-report', override: true },
       },
       removeHeaders: ['Server'],
       serverTimingSamplingRate: 12.3456,
@@ -136,7 +136,7 @@ describe('ResponseHeadersPolicy', () => {
             Override: true,
           },
           XSSProtection: {
-            ModeBlock: true,
+            ModeBlock: false,
             Override: true,
             Protection: true,
             ReportUri: 'https://example.com/csp-report',