To enable X-XSS-Protection header in IIS add following to your site’s Web.config file.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-XSS-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Read more about X-XSS-Protection header here.