In Node.js/Express, how do I automatically add thi

I have many of these "controllers":

app.get('/',function(req,res){
    var stuff = { 'title': 'blah' };
    res.render('mytemplate',stuff);
});

Notice res.render? I want to add this header to every response header I make:

X-XSS-Protection: 0

How can I add that response header automatically?

标签： javascript node.js http express url

6条回答

ゆ、 Hurt°

2楼-- · 2019-01-17 15:08

you could create your own middleware method like so:

addToHeader = function (req, res, next) {
  console.log("add to header called ... " + req.url);
  res.header('X-XSS-Protection', '0');
  next();
}

and then change your routes to sth like this:

app.get('/', addToHeader, function(req,res){
  var stuff = { 'title': 'blah' };
  res.render('mytemplate',stuff);
});

should work.

0人赞添加讨论(0) 举报

唯我独甜

3楼-- · 2019-01-17 15:09

// global controller
app.get('/*',function(req,res,next){
    res.header('X-XSS-Protection' , 0 );
    next(); // http://expressjs.com/guide.html#passing-route control
});

Just make sure this is the first controller you add, order is significant.

0人赞添加讨论(0) 举报

beautiful°

4楼-- · 2019-01-17 15:11

I find that another good place to inject default headers is during the Routing Middleware. This way, all routes controlled by the router instance will receive the headers.

For example:

//...
var router = express.Router();

// middleware for all routes
router.use(function(req, res, next) {
  // inject default headers
  res.header('cache-control', 'private, max-age=0');
  res.header('expires', new Date(Date.now()).toUTCString());
  next();
});

// all routes below will now inherit 
// the middleware's default headers
router.get('/users', function(req, res){
   // I will return the user list, with default headers
   // ...
});

0人赞添加讨论(0) 举报

\"骚年 ilove

5楼-- · 2019-01-17 15:12

For express 4.x, the idiomatic way is as follows:

Implementation

// no mount path; executed for every request.
app.use(function (req, res, next) {
  res.set('X-XSS-Protection', 0);
  next();
});

Test

describe('Response Headers', function () {
  it('responds with header X-XSS-Protection: 0', function (done) {
    hippie(app)
    .get('/any/route/you/can/think/of')
    .expectHeader('X-XSS-Protection', 0)
    .end(done);
  });
});

Dev Dependencies (for tests to work)

% npm install --save-dev mocha hippie

Relevant Documentation

0人赞添加讨论(0) 举报

放荡不羁爱自由

6楼-- · 2019-01-17 15:17

I'd like to point out that none of these answer actually answer the question; the question is specifically relating to render responses; e.g. for an app like:

const router = require('express').Router();
router.use('/test.json', (req, res) => res.json({ test: 'hi' });
router.use('/test.html', (req, res) => res.render('test'));

It's not clear how to add headers (e.g. CSP headers, which can be very verbose) only to your HTML responses. Express doesn't have a hook to specifically do that. The only option at the moment is to organize your code so you don't have to, e.g.

app.use(jsonRouter);
app.use(htmlRouter);

...which allows you to do as some of the other answers suggest, and add generic middleware for setting the headers.

0人赞添加讨论(0) 举报

成全新的幸福

7楼-- · 2019-01-17 15:23

You probably want to use app.use with your own middleware:

app.use(function(req, res, next) {
    res.header('X-XSS-Protection', 0);
    next();
});

0人赞添加讨论(0) 举报