JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 428646
  • Score
    100M100P100Q260985F

Middleware to set the X-XSS-Protection header

Package Exports

  • x-xss-protection

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (x-xss-protection) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

X-XSS-Protection middleware

Trying to prevent: Cross-site scripting attacks (XSS), a subset of the above.

How we mitigate this: The X-XSS-Protection HTTP header is a basic protection against XSS. It was originally by Microsoft but Chrome has since adopted it as well. To use it:

var xssFilter = require('x-xss-protection');
app.use(xssFilter());

This sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it. To force the header on all versions of IE, add the option:

app.use(xssFilter({ setOnOldIE: true }));
// This has some security problems for old IE!

Limitations: This isn't anywhere near as thorough as Content Security Policy. It's only properly supported on IE9+ and Chrome; no other major browsers support it at this time. Old versions of IE support it in a buggy way, which we disable by default.