1.6 KiB
1.6 KiB
X-XSS-Protection middleware
The X-XSS-Protection
HTTP header is a basic protection against XSS. It was originally by Microsoft but Chrome has since adopted it as well.
This middleware sets the X-XSS-Protection
header. On modern browsers, it will set the value to 1; mode=block
. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0
to disable it.
To use this middleware:
const xssFilter = require('x-xss-protection')
app.use(xssFilter())
To force the header to be set to 1; mode=block
on all versions of IE, add the option:
app.use(xssFilter({ setOnOldIE: true }))
// This has some security problems for old IE!
You can also optionally configure a report URI, though the flag is specific to Chrome-based browsers. This option will report the violation to the specified URI:
app.use(xssFilter({ reportUri: '/report-xss-violation' }))
To remove mode=block
from the header, which isn't recommended, set the mode
option to null
:
app.use(xssFilter({ mode: null }))