Security News
Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm
Recent coverage mislabels the latest TEA protocol spam as a worm. Here’s what’s actually happening.
By Philipp Burckhardt - Nov 14, 2025
content-disposition
Advanced tools
content-disposition
Create and parse HTTP Content-Disposition header
Installation
$ npm install content-disposition
API
var contentDisposition = require('content-disposition')
contentDisposition(filename, options)
Create an attachment Content-Disposition header value using the given file name,
if supplied. The filename is optional and if no file name is desired, but you
want to specify options, set filename to undefined.
res.setHeader('Content-Disposition', contentDisposition('∫ maths.pdf'))
note HTTP headers are of the ISO-8859-1 character set. If you are writing this
header through a means different from setHeader in Node.js, you'll want to specify
the 'binary' encoding in Node.js.
Options
contentDisposition accepts these properties in the options object.
fallback
If the filename option is outside ISO-8859-1, then the file name is actually
stored in a supplemental field for clients that support Unicode file names and
a ISO-8859-1 version of the file name is automatically generated.
This specifies the ISO-8859-1 file name to override the automatic generation or
disables the generation all together, defaults to true.
- A string will specify the ISO-8859-1 file name to use in place of automatic generation.
falsewill disable including a ISO-8859-1 file name and only include the Unicode version (unless the file name is already ISO-8859-1).truewill enable automatic generation if the file name is outside ISO-8859-1.
If the filename option is ISO-8859-1 and this option is specified and has a
different value, then the filename option is encoded in the extended field
and this set as the fallback field, even though they are both ISO-8859-1.
type
Specifies the disposition type, defaults to "attachment". This can also be
"inline", or any other value (all values except inline are treated like
attachment, but can convey additional information if both parties agree to
it). The type is normalized to lower-case.
contentDisposition.parse(string)
var disposition = contentDisposition.parse('attachment; filename="EURO rates.txt"; filename*=UTF-8\'\'%e2%82%ac%20rates.txt')
Parse a Content-Disposition header string. This automatically handles extended
("Unicode") parameters by decoding them and providing them under the standard
parameter name. This will return an object with the following properties (examples
are shown for the string 'attachment; filename="EURO rates.txt"; filename*=UTF-8\'\'%e2%82%ac%20rates.txt'):
-
type: The disposition type (always lower case). Example:'attachment' -
parameters: An object of the parameters in the disposition (name of parameter always lower case and extended versions replace non-extended versions). Example:{filename: "€ rates.txt"}
Examples
Send a file for download
var contentDisposition = require('content-disposition')
var destroy = require('destroy')
var fs = require('fs')
var http = require('http')
var onFinished = require('on-finished')
var filePath = '/path/to/public/plans.pdf'
http.createServer(function onRequest (req, res) {
// set headers
res.setHeader('Content-Type', 'application/pdf')
res.setHeader('Content-Disposition', contentDisposition(filePath))
// send file
var stream = fs.createReadStream(filePath)
stream.pipe(res)
onFinished(res, function () {
destroy(stream)
})
})
Testing
$ npm test
References
- RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
- RFC 5987: Character Set and Language Encoding for Hypertext Transfer Protocol (HTTP) Header Field Parameters
- RFC 6266: Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)
- Test Cases for HTTP Content-Disposition header field (RFC 6266) and the Encodings defined in RFCs 2047, 2231 and 5987
License
Other packages similar to content-disposition
mime
The 'mime' package can be used to determine a file's MIME type based on its extension, which is helpful when setting the Content-Type header. It does not directly handle Content-Disposition headers but is often used in conjunction with setting these headers.
form-data
The 'form-data' package allows for the creation and submission of FormData instances, which can include files with specific Content-Disposition. It is more focused on constructing multipart/form-data payloads than on creating or parsing Content-Disposition headers.
FAQs
Create and parse Content-Disposition header
The npm package content-disposition receives a total of 44,608,266 weekly downloads. As such, content-disposition popularity was classified as popular.
We found that content-disposition demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 10 Dec 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
PyPI Expands Trusted Publishing to GitLab Self-Managed as Adoption Passes 25 Percent
PyPI adds Trusted Publishing support for GitLab Self-Managed as adoption reaches 25% of uploads
By Sarah Gooding - Nov 14, 2025
Research
/Security News
Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover.
By Kirill Boychenko - Nov 12, 2025