Over recent years, new security standards have been set by the W3C, and implemented by browser vendors. The idea was to create a set of HTTP headers that developers could use in order to add a browser-based layer of security for their web applications.
Indeed, many security problems can (or should) be remediated on the client side (e.g. Same Origin Policy), and by improving the security of the platforms it was clear that the overall security level of web applications would increase, with little regard to the actual server-side implementation.
Let’s present a quick overview of these HTTP headers:
Description: Enables a Cross-Site Scripting (XSS) filter in the browser that blocks the malicious reflected XSS code.
X-XSS-Protection: 1; mode=block
Supported Browsers: IE 8+, Chrome, Safari (WebKit).
Additional Information: https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/