JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 428646
  • Score
    100M100P100Q261864F
  • License MIT

Middleware to set the X-XSS-Protection header

Package Exports

  • x-xss-protection

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (x-xss-protection) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

X-XSS-Protection middleware

Build Status

The X-XSS-Protection HTTP header is a basic protection against XSS. It was originally by Microsoft but Chrome has since adopted it as well.

This middleware sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it.

To use this middleware:

const xssFilter = require('x-xss-protection')
app.use(xssFilter())

To force the header to be set to 1; mode=block on all versions of IE, add the option:

app.use(xssFilter({ setOnOldIE: true }))
// This has some security problems for old IE!

You can also optionally configure a report URI, though the flag is specific to Chrome-based browsers. This option will report the violation to the specified URI:

app.use(xssFilter({ reportUri: '/report-xss-violation' }))

To remove mode=block from the header, which isn't recommended, set the mode option to null:

app.use(xssFilter({ mode: null }))