Added X-Xss-Protection snippet

README.md

@@ -39,6 +39,8 @@ What we are doing here is mostly collecting useful snippets from all over the in
     - [Password Protect a File or Several Files](#password-protect-a-file-or-several-files)
     - [Block Visitors by Referrer](#block-visitors-by-referrer)
     - [Prevent Framing the Site](#prevent-framing-the-site)
+    - [Help to Prevent Cross-Site Scripting](#help-to-prevent-cross-site-scripting)
+    - [Prevents Mime-Sniffing the Incorrect Content-Type](#prevents-mime-sniffing-the-incorrect-content-type)
 - [Performance](#performance)
     - [Compress Text Files](#compress-text-files)
     - [Set Expires Headers](#set-expires-headers)
@@ -330,6 +332,20 @@ SetEnvIf Request_URI "/starry-night" allow_framing=true
 Header set X-Frame-Options SAMEORIGIN env=!allow_framing
 ```
 
+### Help to Prevent Cross-Site Scripting
+This uses the built-in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit) to block the response if it detects an attack.
+[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection)
+``` apacheconf
+Header always set X-Xss-Protection "1; mode=block"
+```
+
+### Prevents Mime-Sniffing the Incorrect Content-Type
+This reduces the risk of a file, such as an cleverly-misnamed executable, being treated as a different content-type by the browser than the one being declared by the server. It also reduces exposure to drive-by downloads.
+[Source](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options)
+``` apacheconf
+Header always set X-Content-Type-Options "nosniff"
+```
+
 ## Performance
 ### Compress Text Files
 ``` apacheconf