The X-XSS-Protection response header provides a layer of protection against reflected cross-site scripting (XSS) attacks by instructing browsers to abort rendering a page in which a reflected XSS attack has been detected. This is a best-effort second line of defense measure which helps prevent an attacker from using evasion techniques to avoid the neutralization mechanisms that the filters use by default. When configured appropriately, browser-level XSS filters can provide additional layers of defense against web application attacks. Note that HTTP 4xx and 5xx responses can also be susceptible to attacks such as XSS. For better security, the X-XSS-Protection header should be set on 4xx and 5xx responses as well.
Solution
It is recommended to set X-XSS-Protection header with the value set to1; mode=block on all the relevant responses to activate the browser’s XSS filter.