In Node.js/Express, how do I automatically add this header to every "render" response?
68,792
Solution 1
// global controller
app.get('/*',function(req,res,next){
res.header('X-XSS-Protection' , 0 );
next(); // http://expressjs.com/guide.html#passing-route control
});
Just make sure this is the first controller you add, order is significant.
Solution 2
You probably want to use app.use with your own middleware:
app.use(function(req, res, next) {
res.header('X-XSS-Protection', 0);
next();
});
Solution 3
For express 4.x, the idiomatic way is as follows:
Implementation
// no mount path; executed for every request.
app.use(function (req, res, next) {
res.set('X-XSS-Protection', 0);
next();
});
Test
describe('Response Headers', function () {
it('responds with header X-XSS-Protection: 0', function (done) {
hippie(app)
.get('/any/route/you/can/think/of')
.expectHeader('X-XSS-Protection', 0)
.end(done);
});
});
Dev Dependencies (for tests to work)
% npm install --save-dev mocha hippie
Relevant Documentation
Solution 4
you could create your own middleware method like so:
addToHeader = function (req, res, next) {
console.log("add to header called ... " + req.url);
res.header('X-XSS-Protection', '0');
next();
}
and then change your routes to sth like this:
app.get('/', addToHeader, function(req,res){
var stuff = { 'title': 'blah' };
res.render('mytemplate',stuff);
});
should work.
Solution 5
Use a middleware...
app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*")
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
next()
})
But make sure you use it before your API method. Like this:
const app = express()
// middleware
app.use(function (req, res, next) {
res.header("Access-Control-Allow-Origin", "*")
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
next()
})
// api
app.get('/user', (req, res, next) => {
service.doSomething
.then(data => res.send(data))
.catch(next)
})
app.use(handleError)
Took me a while to figure it out. I didn't see it mentioned anywhere so adding this to complement previous answers.
Author by
TIMEX
Updated on July 09, 2022Comments
-
TIMEX almost 2 years
I have many of these "controllers":
app.get('/',function(req,res){ var stuff = { 'title': 'blah' }; res.render('mytemplate',stuff); });
Notice res.render? I want to add this header to every response header I make:
X-XSS-Protection: 0
How can I add that response header automatically?
-
Philipp Kyeck almost 13 yearsaahh, this one seems even better
-
Philipp Kyeck almost 13 yearsif you really want to add the header argument to all calls this is way shorter than to add the middleware call to every route.
-
TIMEX almost 13 yearsSo by adding this as the first controller, all my other controllers will have that header inside their response?
-
BGerrissen almost 13 yearsAfaik yes, so it's possible to route a response through several controllers.
-
Jonathan Cremin about 10 yearsThis is what everyone should be using now.
-
Tony almost 10 yearsYes, this is the way to go in Express 4. Always use
app.use
-
Luke over 7 yearsMuch better than the excepted answer.
-
brandones over 6 yearsThis is out of date now, see below.
-
Jabari Dash over 6 yearsWhat does the
next()
function call do? It works without it, so I was just kind of curious -
Emilio over 6 yearsI think this answer was the answer we both were looking for: stackoverflow.com/a/48448925/6814172
-
The Red Pea about 6 yearsNote
res.set
is an alias is the function for which the method used here --res.header
-- is an alias -
Tanzeel over 2 yearsPlz look into this: stackoverflow.com/questions/69409586/…
-
Tanzeel over 2 yearscan you plz look into this: stackoverflow.com/questions/69409586/…