1. headers http header: x-xss-protection