| 1 | # X-XSS-Protection middleware
|
| 2 |
|
| 3 | The `X-XSS-Protection` HTTP header aimed to offer a basic protection against cross-site scripting (XSS) attacks. _However, you probably should disable it_, which is what this middleware does.
|
| 4 |
|
| 5 | Many browsers have chosen to remove it because of the unintended security issues it creates. Generally, you should protect against XSS with sanitization and a Content Security Policy. For more, read [this GitHub issue](https://github.com/helmetjs/helmet/issues/230).
|
| 6 |
|
| 7 | This middleware sets the `X-XSS-Protection` header to `0`. For example:
|
| 8 |
|
| 9 | ```javascript
|
| 10 | const xXssProtection = require("x-xss-protection");
|
| 11 |
|
| 12 | // Set "X-XSS-Protection: 0"
|
| 13 | app.use(xXssProtection());
|
| 14 | ```
|
| 15 |
|
| 16 | If you truly need the legacy behavior, you can write your own simple middleware and avoid installing this module. For example:
|
| 17 |
|
| 18 | ```javascript
|
| 19 | // NOTE: This is probably insecure!
|
| 20 | app.use((req, res, next) => {
|
| 21 | res.setHeader("X-XSS-Protection", "1; mode=block");
|
| 22 | next();
|
| 23 | });
|
| 24 | ```
|