HTTP Header: XSS Filter
The attack​
One kind of XSS is called “Reflected XSS”. Typically, it works by setting a query string which is put directly into the HTML. Putting JavaScript in the query string can let an attacker execute their JavaScript just by giving someone a malicious query string.
The header​
To be very clear: this header does not protect you from XSS attacks much. It protects against a very particular kind of XSS, and other mitigation measures are far better. This header provides a quick win and basic protection, but this header does not save you from XSS attacks.
It’s relatively easy for browsers to detect simple reflected XSS. In the example above, browsers could choose not to execute the JavaScript inside a <script>
tag if it matches what’s in the query string. Some browsers do this detection by default, but some don’t. To make these browsers check for this simple case, you can set the X-XSS-Protection
header to 1; mode=block
.
This tells browsers to detect and block reflected XSS.
Note: This header causes some even worse security vulnerabilities in older versions of Internet Explorer, so it’s wise to disable it there.
The code​
The xssFilter
middleware sets the X-XSS-Protection
header to prevent reflected XSS attacks.
const helmet = require('helmet')
// Sets "X-XSS-Protection: 1; mode=block".
app.use(helmet.xssFilter())
Report violations​
You can also optionally configure a report URI, though the flag is specific to Chrome-based browsers.
This option will report the violation to the specified URI:
const helmet = require('helmet')
// Sets "X-XSS-Protection: 1; report=/report-xss-violation; mode=block".
app.use(xssFilter({ reportUri: '/report-xss-violation' }))