Middleware to set the X-XSS-Protection header
Latest commit 9610982 Aug 7, 2016 @EvanHahn EvanHahn Update devDependencies


X-XSS-Protection middleware

Build Status js-standard-style

Looking for a changelog?

The X-XSS-Protection HTTP header is a basic protection against XSS. It was originally by Microsoft but Chrome has since adopted it as well.

This middleware sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it.

To use this middleware:

var xssFilter = require('x-xss-protection')

To force the header to be set to 1; mode=block on all versions of IE, add the option:

app.use(xssFilter({ setOnOldIE: true }))
// This has some security problems for old IE!