You should create an ACL for the /stats-xml URI if you want to limit the users who can view the stats-xml statistics for your server from a browser.
The ACL file must also be referenced in the stats-xml object definition in the obj.conf file. For example, if you created a named ACL for the /stats-xml URI, you would need to reference the ACL file in a PathCheck statement in the object definition as follows:
<Object name="stats-xml">
PathCheck fn="check-acl" acl="stats.acl"
Service fn="stats-xml"
</Object>