If you're running your app in the cloud this is not possible AFAIK as this is a setting on the web-server serving your app. The setting on this server are defined by Mendix. Maybe file a ticket with support to find out if they can enable this.
If you are running 'on premise', in other words have control over your web-server configuration then you can enable this.
nginx: add_header x-xss-protection "1; mode=block" always; apache: header always set x-xss-protection "1; mode=block"