34 lines
1.6 KiB
Markdown
34 lines
1.6 KiB
Markdown
|
X-XSS-Protection middleware
|
||
|
|
===========================
|
||
|
|
[](https://travis-ci.org/helmetjs/x-xss-protection)
|
||
|
|
|
||
|
|
The `X-XSS-Protection` HTTP header is a basic protection against XSS. It was originally [by Microsoft](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) but Chrome has since adopted it as well.
|
||
|
|
|
||
|
|
This middleware sets the `X-XSS-Protection` header. On modern browsers, it will set the value to `1; mode=block`. On old versions of Internet Explorer, this creates a vulnerability (see [here](http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) and [here](http://technet.microsoft.com/en-us/security/bulletin/MS10-002)), and so the header is set to `0` to disable it.
|
||
|
|
|
||
|
|
To use this middleware:
|
||
|
|
|
||
|
|
```javascript
|
||
|
|
const xssFilter = require('x-xss-protection')
|
||
|
|
app.use(xssFilter())
|
||
|
|
```
|
||
|
|
|
||
|
|
To force the header to be set to `1; mode=block` on all versions of IE, add the option:
|
||
|
|
|
||
|
|
```javascript
|
||
|
|
app.use(xssFilter({ setOnOldIE: true }))
|
||
|
|
// This has some security problems for old IE!
|
||
|
|
```
|
||
|
|
|
||
|
|
You can also optionally configure a report URI, though the flag is [specific to Chrome-based browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection). This option will report the violation to the specified URI:
|
||
|
|
|
||
|
|
```javascript
|
||
|
|
app.use(xssFilter({ reportUri: '/report-xss-violation' }))
|
||
|
|
```
|
||
|
|
|
||
|
|
To remove `mode=block` from the header, which isn't recommended, set the `mode` option to `null`:
|
||
|
|
|
||
|
|
```javascript
|
||
|
|
app.use(xssFilter({ mode: null }))
|
||
|
|
```
|