{"id":17123,"library":"x-xss-protection","title":"X-XSS-Protection Middleware","description":"This package provides an Express middleware specifically designed to disable the `X-XSS-Protection` HTTP header by setting its value to `0`. This header, once intended to mitigate cross-site scripting (XSS) attacks, has been largely deprecated by browser vendors due to its propensity to introduce new security vulnerabilities rather than solve them. It is part of the Helmet.js project, a collection of middlewares for securing Express apps. The current stable version is 2.0.0. The package maintains a low release cadence, primarily updating for Node.js compatibility or critical bug fixes, as its core functionality (disabling a header) is stable and intentionally minimal. Its key differentiator is its explicit recommendation and implementation for removing a problematic legacy security feature, contrasting with older practices that advocated its use. This library is a targeted solution for modern web security practices, where XSS mitigation is handled by Content Security Policy (CSP) and robust input sanitization instead of this unreliable header.","status":"active","version":"2.0.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/helmet","tags":["javascript","express","security","x-xss-protection","typescript"],"install":[{"cmd":"npm install x-xss-protection","lang":"bash","label":"npm"},{"cmd":"yarn add x-xss-protection","lang":"bash","label":"yarn"},{"cmd":"pnpm add x-xss-protection","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The package exports a default function which returns an Express middleware. This is the standard ESM import for direct usage.","wrong":"import { xXssProtection } from 'x-xss-protection';","symbol":"Default exported middleware function (ESM)","correct":"import xXssProtection from 'x-xss-protection';"},{"note":"When using CommonJS, the `require` call directly resolves to the default exported middleware function.","wrong":"const { xXssProtection } = require('x-xss-protection');","symbol":"Default exported middleware function (CommonJS)","correct":"const xXssProtection = require('x-xss-protection');"},{"note":"While `import * as xXssProtection from 'x-xss-protection'` can be used, `xXssProtection` will then be an object `{ default: Function }`. To use the middleware, you would need to call `xXssProtection.default()`, which is less ergonomic than a direct default import.","wrong":"import * as xXssProtection from 'x-xss-protection';","symbol":"Namespace import (ESM)","correct":null}],"quickstart":{"code":"const express = require('express');\nconst xXssProtection = require('x-xss-protection');\nconst app = express();\n\n// Set \"X-XSS-Protection: 0\"\napp.use(xXssProtection());\n\napp.get('/', (req, res) => {\n  res.send('X-XSS-Protection header is set to 0');\n});\n\nconst PORT = process.env.PORT ?? 3000;\napp.listen(PORT, () => {\n  console.log(`Server running on http://localhost:${PORT}`);\n});","lang":"javascript","description":"Demonstrates how to integrate the middleware into an Express application to disable the X-XSS-Protection header."},"warnings":[{"fix":"Always disable the header using this middleware (`xXssProtection()`), or implement a robust Content Security Policy (CSP) and proper input sanitization instead.","message":"Using the `X-XSS-Protection` header (even with `1; mode=block`) is generally insecure and deprecated by modern browsers, as it can introduce new vulnerabilities like Content Security Policy (CSP) bypasses or arbitrary script execution.","severity":"breaking","affected_versions":"*"},{"fix":"If legacy `X-XSS-Protection` behavior is absolutely required (which is generally not recommended due to severe security risks), implement custom middleware to set the header manually.","message":"This middleware specifically sets the `X-XSS-Protection` header to `0`, effectively disabling it. It does not provide any options to enable or configure its behavior to `1; mode=block` or similar legacy settings.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Review your Helmet.js configuration. If using Helmet v6+, this package is likely unnecessary. For older Helmet versions or standalone use, continue using this middleware as intended.","message":"This module's functionality (disabling the `X-XSS-Protection` header) is now the default behavior in Helmet.js versions 6 and above. If you are using a modern version of Helmet, this specific middleware is likely redundant.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Use `import xXssProtection from 'x-xss-protection'` for ESM or `const xXssProtection = require('x-xss-protection')` for CommonJS.","cause":"Attempting to call a named import as a function when the package exports a default function, or calling `xXssProtection` when using a namespace import without accessing `.default`.","error":"TypeError: xXssProtection is not a function"},{"fix":"Add `const xXssProtection = require('x-xss-protection')` or `import xXssProtection from 'x-xss-protection'` at the top of your file.","cause":"Forgetting to import or require the package before attempting to use the `xXssProtection` function.","error":"ReferenceError: xXssProtection is not defined"}],"ecosystem":"npm","meta_description":null}