lio/benji.monster
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
benji.monster/node_modules/x-xss-protection
History
ry 69c5b90d6a upload site
2020-01-03 21:48:09 +01:00
..
dist upload site 2020-01-03 21:48:09 +01:00
CHANGELOG.md upload site 2020-01-03 21:48:09 +01:00
LICENSE upload site 2020-01-03 21:48:09 +01:00
package.json upload site 2020-01-03 21:48:09 +01:00
README.md upload site 2020-01-03 21:48:09 +01:00

README.md

X-XSS-Protection middleware

Build Status

The X-XSS-Protection HTTP header is a basic protection against XSS. It was originally by Microsoft but Chrome has since adopted it as well.

This middleware sets the X-XSS-Protection header. On modern browsers, it will set the value to 1; mode=block. On old versions of Internet Explorer, this creates a vulnerability (see here and here), and so the header is set to 0 to disable it.

To use this middleware:

const xssFilter = require('x-xss-protection')
app.use(xssFilter())

To force the header to be set to 1; mode=block on all versions of IE, add the option:

app.use(xssFilter({ setOnOldIE: true }))
// This has some security problems for old IE!

You can also optionally configure a report URI, though the flag is specific to Chrome-based browsers. This option will report the violation to the specified URI:

app.use(xssFilter({ reportUri: '/report-xss-violation' }))

To remove mode=block from the header, which isn't recommended, set the mode option to null:

app.use(xssFilter({ mode: null }))