X-XSS-Protection Middleware

2.0.0 · active · verified Wed Apr 22

This package provides an Express middleware specifically designed to disable the `X-XSS-Protection` HTTP header by setting its value to `0`. This header, once intended to mitigate cross-site scripting (XSS) attacks, has been largely deprecated by browser vendors due to its propensity to introduce new security vulnerabilities rather than solve them. It is part of the Helmet.js project, a collection of middlewares for securing Express apps. The current stable version is 2.0.0. The package maintains a low release cadence, primarily updating for Node.js compatibility or critical bug fixes, as its core functionality (disabling a header) is stable and intentionally minimal. Its key differentiator is its explicit recommendation and implementation for removing a problematic legacy security feature, contrasting with older practices that advocated its use. This library is a targeted solution for modern web security practices, where XSS mitigation is handled by Content Security Policy (CSP) and robust input sanitization instead of this unreliable header.

Common errors

```
TypeError: xXssProtection is not a function
```
cause Attempting to call a named import as a function when the package exports a default function, or calling `xXssProtection` when using a namespace import without accessing `.default`.

fix Use `import xXssProtection from 'x-xss-protection'` for ESM or `const xXssProtection = require('x-xss-protection')` for CommonJS.
```
ReferenceError: xXssProtection is not defined
```
cause Forgetting to import or require the package before attempting to use the `xXssProtection` function.

fix Add `const xXssProtection = require('x-xss-protection')` or `import xXssProtection from 'x-xss-protection'` at the top of your file.

Warnings

breaking Using the `X-XSS-Protection` header (even with `1; mode=block`) is generally insecure and deprecated by modern browsers, as it can introduce new vulnerabilities like Content Security Policy (CSP) bypasses or arbitrary script execution.
Fix: Always disable the header using this middleware (`xXssProtection()`), or implement a robust Content Security Policy (CSP) and proper input sanitization instead.
gotcha This middleware specifically sets the `X-XSS-Protection` header to `0`, effectively disabling it. It does not provide any options to enable or configure its behavior to `1; mode=block` or similar legacy settings.
Fix: If legacy `X-XSS-Protection` behavior is absolutely required (which is generally not recommended due to severe security risks), implement custom middleware to set the header manually.
gotcha This module's functionality (disabling the `X-XSS-Protection` header) is now the default behavior in Helmet.js versions 6 and above. If you are using a modern version of Helmet, this specific middleware is likely redundant.
Fix: Review your Helmet.js configuration. If using Helmet v6+, this package is likely unnecessary. For older Helmet versions or standalone use, continue using this middleware as intended.

Install

npm install x-xss-protection npm
yarn add x-xss-protection yarn
pnpm add x-xss-protection pnpm

Imports

Default exported middleware function (ESM)
wrong:
```
import { xXssProtection } from 'x-xss-protection';
```
correct:
```
import xXssProtection from 'x-xss-protection';
```
The package exports a default function which returns an Express middleware. This is the standard ESM import for direct usage.
Default exported middleware function (CommonJS)
wrong:
```
const { xXssProtection } = require('x-xss-protection');
```
correct:
```
const xXssProtection = require('x-xss-protection');
```
When using CommonJS, the `require` call directly resolves to the default exported middleware function.
Namespace import (ESM)
wrong:
```
import * as xXssProtection from 'x-xss-protection';
```
correct:
While `import * as xXssProtection from 'x-xss-protection'` can be used, `xXssProtection` will then be an object `{ default: Function }`. To use the middleware, you would need to call `xXssProtection.default()`, which is less ergonomic than a direct default import.

Quickstart

Demonstrates how to integrate the middleware into an Express application to disable the X-XSS-Protection header.

const express = require('express');
const xXssProtection = require('x-xss-protection');
const app = express();

// Set "X-XSS-Protection: 0"
app.use(xXssProtection());

app.get('/', (req, res) => {
  res.send('X-XSS-Protection header is set to 0');
});

const PORT = process.env.PORT ?? 3000;
app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
});

view raw JSON →