In Node.js/Express, how do I automatically add this header to every "render" response?

javascript node.js http express url

68,792

Solution 1

// global controller
app.get('/*',function(req,res,next){
    res.header('X-XSS-Protection' , 0 );
    next(); // http://expressjs.com/guide.html#passing-route control
});

Just make sure this is the first controller you add, order is significant.

Solution 2

You probably want to use app.use with your own middleware:

app.use(function(req, res, next) {
    res.header('X-XSS-Protection', 0);
    next();
});

Solution 3

For express 4.x, the idiomatic way is as follows:

Implementation

// no mount path; executed for every request.
app.use(function (req, res, next) {
  res.set('X-XSS-Protection', 0);
  next();
});

Test

describe('Response Headers', function () {
  it('responds with header X-XSS-Protection: 0', function (done) {
    hippie(app)
    .get('/any/route/you/can/think/of')
    .expectHeader('X-XSS-Protection', 0)
    .end(done);
  });
});

Dev Dependencies (for tests to work)

% npm install --save-dev mocha hippie

Relevant Documentation

Solution 4

you could create your own middleware method like so:

addToHeader = function (req, res, next) {
  console.log("add to header called ... " + req.url);
  res.header('X-XSS-Protection', '0');
  next();
}

and then change your routes to sth like this:

app.get('/', addToHeader, function(req,res){
  var stuff = { 'title': 'blah' };
  res.render('mytemplate',stuff);
});

should work.

Solution 5

Use a middleware...

app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
  next()
})

But make sure you use it before your API method. Like this:

const app = express()

// middleware
app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
  next()
})

// api
app.get('/user', (req, res, next) => {
  service.doSomething
    .then(data => res.send(data))
    .catch(next)
})

app.use(handleError)

Took me a while to figure it out. I didn't see it mentioned anywhere so adding this to complement previous answers.

View more solutions

68,792

Author by

TIMEX

Updated on July 09, 2022

Comments

TIMEX almost 2 years
I have many of these "controllers":
```
app.get('/',function(req,res){
    var stuff = { 'title': 'blah' };
    res.render('mytemplate',stuff);
});    
```
Notice res.render? I want to add this header to every response header I make:

X-XSS-Protection: 0

How can I add that response header automatically?
Philipp Kyeck almost 13 years

aahh, this one seems even better
Philipp Kyeck almost 13 years

if you really want to add the header argument to all calls this is way shorter than to add the middleware call to every route.
TIMEX almost 13 years

So by adding this as the first controller, all my other controllers will have that header inside their response?
BGerrissen almost 13 years

Afaik yes, so it's possible to route a response through several controllers.
Jonathan Cremin about 10 years

This is what everyone should be using now.
Tony almost 10 years

Yes, this is the way to go in Express 4. Always use app.use
Luke over 7 years

Much better than the excepted answer.
brandones over 6 years

This is out of date now, see below.
Jabari Dash over 6 years

What does the next() function call do? It works without it, so I was just kind of curious
Emilio over 6 years

I think this answer was the answer we both were looking for: stackoverflow.com/a/48448925/6814172
The Red Pea about 6 years

Note res.set is an alias is the function for which the method used here -- res.header -- is an alias
Tanzeel over 2 years

Plz look into this: stackoverflow.com/questions/69409586/…
Tanzeel over 2 years

can you plz look into this: stackoverflow.com/questions/69409586/…