X-SendFile is a header that can be sended from a scripting language like PHP, Python, Perl, Ruby through CGI (or equivalent) or in a FastCGI applications that is preprocessed by the http server (and it won't be sended to the client) and specify to the server that have to serve a static file instead of sending the CGI output.
In the case we want to send a big file from a CGI using authentication. The traditional way was yo establish the header Content-Type and send all the binary data. Some sophisticated programs even parsed HTTP headers in order to send only chunks of the file. However, each one of those request use memory, handles and processes during all the transfer, communicating with the http server that is performing as a bridge, sending all the data to the client.
Using X-SendFile you only need to send that header specifying the path to the file we want to send, and to finalize the CGI/FastCGI request. The script is in memory only the time that you need to verify the authentication and to send only a single header to the server. This is much more efficient. Even we can store in a session that the user have permissions to downlaod the file and we will be able to access that session in a fast way. The http server will be in charge of handling the headers to send the data the user request.
The X-SendFile header is implemented on the most populars http servers, in the main core: lighttpd and nginx, or with a mod mod_xsendfile for apache.
Each server handles the header in a way, allowing to specify configuration parameters and security restrictions per configuration. You will have to read the documentation of your server for more information.