ASP.NET Core provides built-in protection against cross-site scripting (XSS) attacks by automatically encoding user input in Razor views. Razor syntax and HTML helpers encode user input by default, preventing the execution of malicious scripts. Additionally, you can use the [ValidateAntiForgeryToken] attribute to protect against cross-site request forgery (CSRF) attacks by ensuring that requests include a valid anti-forgery token.