how to set Http header X-XSS-Protection

If you are using .Net MVC you can configure it through customHeaders in Web.Config.

To add these headers, go to the httpprotocol node and add those headers inside the customHeaders node.

<httpprotocol> 
    <customheaders> 
        <remove name="X-Powered-By"> 
           <add name="X-XSS-Protection" value="1; mode=block"></add>
        </remove>
    </customheaders> 
</httpprotocol>

I highly recommend this link that explain how can you can configuring Secure IIS Response Headers in ASP.NET MVC: http://insiderattack.blogspot.com/2014/04/configuring-secure-iis-response-headers.html

In Apache, you need to edit the config file, this file could be:

/etc/apache2/apache2.conf

/etc/apache2/httpd.conf

In the file you can add these lines at the end to enable HTTP Header XSS Protection:

<IfModule mod_headers.c>
    Header set X-XSS-Protection: "1; mode=block"
</IfModule>

Note: if mod_headers is external to the main Apache core (not compiled into Apache) then you would use .so rather than .c - ie. <IfModule mod_headers.so>

After that, save changes, and restart apache with:

sudo service apache2 restart

or

sudo service httpd restart

Hope this helps! :)

I doubt it'd work as just a meta tag. You may have to tell your web server to send it as a real header.

In PHP, you'd do it like

header("X-XSS-Protection: 0");

In ASP.net:

Response.AppendHeader("X-XSS-Protection","0")

In Apache's config:

Header set  X-XSS-Protection  0

In IIS, there's a section in the properties for extra headers. It often has "X-Powered-By: ASP.NET" already set up in it; you'd just add "X-XSS-Protection: 0" to that same place.