New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

console-self-xss-warning

Package Overview
Dependencies
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

console-self-xss-warning

Show a self-XSS warning in the browser console.

latest
Source
npmnpm
Version
2.0.6
Version published
Maintainers
1
Created
Source

console-self-xss-warning

Show a self-XSS warning in the browser console to protect users from social engineering.

Console warning preview

Features

  • Runs only in the browser and is safe for SSR.
  • Default language is auto-detected via navigator.language with en fallback.
  • Language tags use BCP 47 with normalization and primary subtag fallback (e.g. en-US -> en).
  • Built-in translations for 40+ languages.
  • \\n in translations is converted to a real line break in console output.
  • No external dependencies.

Install

npm install console-self-xss-warning

Quick start

import { showConsoleWarning } from "console-self-xss-warning";

showConsoleWarning();

Framework examples

Full examples for popular frameworks and Vanilla JS are in examples/.

Configuration

parameterdefaultrequireddescription
translationsbuilt-in translationsnooverride texts and styles per language
forceLangauto-detect (navigator.language)noforce a specific language
oncetruenoshow only once per page load
productionOnlyfalsenoshow only in production mode
clearConsolefalsenoclear the console before logging
productionOnlyEnvKeydefault key listnoread productionOnly from an env variable
configdefault warning confignooverride styles and behavior defaults

Language tags (BCP 47)

Language keys and forceLang accept BCP 47 language tags (e.g. en, en-US, pt-BR). Tags are normalized to lowercase with -, and if a region-specific tag is not found the primary subtag is used as a fallback (e.g. en-US -> en).

Common options

showConsoleWarning({
  once: true,            // show only once per page load
  clearConsole: false,   // optionally clear console before warning
  productionOnly: false  // gate by production environment
});

Custom translation

showConsoleWarning({
  translations: {
    en: {
      title: "STOP!",
      message:
        "This is for developers only.\nIf someone asks you to paste code here, it is a scam.",
      titleStyle: "color:#d00;font-size:52px;font-weight:900;",
      messageStyle: "font-size:16px;"
    }
  }
});

Full custom JSON

const translations = {
  en: {
    title: "STOP!",
    message: "Private area.\nDo not paste anything here."
  },
  fr: {
    title: "STOP !",
    message: "Zone privée.\nNe collez rien ici."
  }
};

showConsoleWarning({
  translations,
  forceLang: "en",
  clearConsole: true
});

Config overrides

keydefaultdescription
defaultTitleStylecolor:red;font-size:48px;font-weight:bold;default title style
defaultMessageStylefont-size:16px;default message style
defaultSpamIntervalMs2000repeat interval for the warning in ms
devtoolsSizeThresholdPx160threshold used to detect open devtools

Environment config for productionOnly

If you want productionOnly to be driven by an environment variable, pass your own key name using productionOnlyEnvKey.

showConsoleWarning({
  productionOnlyEnvKey: "MY_APP_CONSOLE_WARNING_PROD_ONLY"
});

You can also pass multiple keys (first match wins):

showConsoleWarning({
  productionOnlyEnvKey: ["MY_KEY_1", "MY_KEY_2"]
});

Boolean values accepted: 1/0, true/false, yes/no, on/off

Default keys (if you do not pass anything):

  • CONSOLE_SELF_XSS_WARNING_PRODUCTION_ONLY
  • VITE_CONSOLE_SELF_XSS_WARNING_PRODUCTION_ONLY
  • NEXT_PUBLIC_CONSOLE_SELF_XSS_WARNING_PRODUCTION_ONLY

API

type Options = {
  translations?: {
    [lang: string]: {
      title: string
      message: string
      titleStyle?: string
      messageStyle?: string
    }
  }
  forceLang?: string
  once?: boolean
  productionOnly?: boolean
  clearConsole?: boolean
  productionOnlyEnvKey?: string | string[]
  config?: {
    defaultTitleStyle?: string
    defaultMessageStyle?: string
    defaultSpamIntervalMs?: number
    devtoolsSizeThresholdPx?: number
  }
}

showConsoleWarning(options?)

Keywords

console-self-xss-warning
self-xss-warning
browser-console-warning
react-console-warning
nextjs-console-warning

FAQs

Package last updated on 02 Feb 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Security News

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

By Sarah Gooding  -  Apr 03, 2026