I have many of these "controllers":
app.get('/',function(req,res){
var stuff = { 'title': 'blah' };
res.render('mytemplate',stuff);
});
Notice res.render? I want to add this header to every response header I make:
X-XSS-Protection: 0
How can I add that response header automatically?
// global controller
app.get('/*',function(req,res,next){
res.header('X-XSS-Protection' , 0 );
next(); // http://expressjs.com/guide.html#passing-route control
});
Just make sure this is the first controller you add, order is significant.
You probably want to use app.use with your own middleware:
app.use(function(req, res, next) {
res.header('X-XSS-Protection', 0);
next();
});
For express 4.x, the idiomatic way is as follows:
// no mount path; executed for every request.
app.use(function (req, res, next) {
res.set('X-XSS-Protection', 0);
next();
});
describe('Response Headers', function () {
it('responds with header X-XSS-Protection: 0', function (done) {
hippie(app)
.get('/any/route/you/can/think/of')
.expectHeader('X-XSS-Protection', 0)
.end(done);
});
});
% npm install --save-dev mocha hippie
you could create your own middleware method like so:
addToHeader = function (req, res, next) {
console.log("add to header called ... " + req.url);
res.header('X-XSS-Protection', '0');
next();
}
and then change your routes to sth like this:
app.get('/', addToHeader, function(req,res){
var stuff = { 'title': 'blah' };
res.render('mytemplate',stuff);
});
should work.
I find that another good place to inject default headers is during the Routing Middleware. This way, all routes controlled by the router instance will receive the headers.
For example:
//...
var router = express.Router();
// middleware for all routes
router.use(function(req, res, next) {
// inject default headers
res.header('cache-control', 'private, max-age=0');
res.header('expires', new Date(Date.now()).toUTCString());
next();
});
// all routes below will now inherit
// the middleware's default headers
router.get('/users', function(req, res){
// I will return the user list, with default headers
// ...
});
I'd like to point out that none of these answer actually answer the question; the question is specifically relating to render responses; e.g. for an app like:
const router = require('express').Router();
router.use('/test.json', (req, res) => res.json({ test: 'hi' });
router.use('/test.html', (req, res) => res.render('test'));
It's not clear how to add headers (e.g. CSP headers, which can be very verbose) only to your HTML responses. Express doesn't have a hook to specifically do that. The only option at the moment is to organize your code so you don't have to, e.g.
app.use(jsonRouter);
app.use(htmlRouter);
...which allows you to do as some of the other answers suggest, and add generic middleware for setting the headers.
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 神经病院院长 的文章《In Node.js/Express, how do I automatically add thi》','https://www.manongdao.com/article-157381.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}