This header tells the browser to help out with protecting the user from cross-site scripting.
The header X-XSS-Protection protects the user from reflected cross-site scripting attacks but it isn't a full protection against xxs attacks so you still need to protect against it with other methods like input and output cleaning.
There is three possible directives for this header:
- 0 - (zero), disable it. Make sure to specify Reflected-XSS directive in the header Content-Security-Policy instead.
- 1 - allow the browser to sanitize the page by removing the unsafe parts. Usually default at browsers but opens up the site to a false-positive attack making the browser removes your own scripts from the page and in worst case making it more vulnerable.
- 1; mode=block - if browsers detects an attack it will not render the page at all.
And you can also add
- ; report=<reporting-URI> when using the "1" option. If an attack is detected the browser will sanitize or block depending on the mode you selected and then send a report to the URI specified. If you don't like to set up that reporting endpoint yourself you can use https://report-uri.com/.
This header can mostly be replace with Content-Security-Policy but it works on older browsers so it can be a good fallback.
HTTP Header Tester: X-XSS-Protection
Adding it can look like this:
<add name="X-XSS-Protection" value="1;mode=block"/>
Read more about: How to add headers to your .net site
Previously in the Security Headers series: Strict Transport Security
Next up in the Security Headers series: X-Frame-Options