		# Changelog

		## 2.0.0 - 2020-08-02

		### Changed

		- XSS filtering is now disabled by default. See [#230](https://github.com/helmetjs/helmet/issues/230)

		### Removed

		- No longer accepts options. Read ["How to disable blocking with X–XSS–Protection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X–XSS–Protection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
		- Dropped support for old Node versions. Node 10+ is now required

		## 1.3.0 - 2019-09-01

		### Added

		- Added `mode: null` to disable `mode=block`

		### Changed

		- Minor performance improvements with Internet Explorer <9 detection

		## 1.2.0 - 2019-06-15

		### Added

		- Added TypeScript type definitions. See [#8](https://github.com/helmetjs/x-xss-protection/pull/8)
		@@ -17,2 +33,3 @@ - Created a changelog
		### Changed

		- Updated documentation
		@@ -19,0 +36,0 @@ - Excluded some files from npm package

package.json

		{
		"name": "x-xss-protection",
		"author": "Adam Baldwin <adam@npmjs.com> (https://evilpacket.net)",
		@@ -7,56 +6,32 @@ "contributors": [
		],
		"description": "Middleware to set the X-XSS-Protection header",
		"version": "1.3.0",
		"license": "MIT",
		"keywords": [
		"helmet",
		"security",
		"express",
		"connect",
		"xss",
		"x-xss-protection"
		],
		"homepage": "https://helmetjs.github.io/docs/xss-filter/",
		"homepage": "https://helmetjs.github.io/",
		"bugs": {
		"url": "https://github.com/helmetjs/helmet/issues",
		"email": "me@evanhahn.com"
		},
		"repository": {
		"type": "git",
		"url": "git://github.com/helmetjs/x-xss-protection.git"
		"url": "git://github.com/helmetjs/helmet.git"
		},
		"bugs": {
		"url": "https://github.com/helmetjs/x-xss-protection/issues",
		"email": "me@evanhahn.com"
		},
		"engines": {
		"node": ">=4.0.0"
		"node": ">=10.0.0"
		},
		"main": "./dist/index.js",
		"typings": "./dist/index.d.ts",
		"files": [
		"CHANGELOG.md",
		"LICENSE",
		"README.md",
		"CHANGELOG.md",
		"dist/index.js",
		"dist/index.d.ts"
		"index.js",
		"index.d.ts"
		],
		"scripts": {
		"pretest": "npm run lint",
		"prepublishOnly": "npm run build",
		"lint": "eslint --fix '*/.ts'",
		"test": "jest --config test/jest-config.json",
		"clean": "rm -rf dist",
		"build": "npm run clean && tsc"
		},
		"devDependencies": {
		"@types/connect": "^3.4.32",
		"@types/jest": "^24.0.18",
		"@types/supertest": "^2.0.8",
		"@typescript-eslint/eslint-plugin": "^2.0.0",
		"@typescript-eslint/parser": "^2.0.0",
		"connect": "^3.7.0",
		"eslint": "^5.16.0",
		"eslint-config-helmet": "^0.2.0",
		"jest": "^24.9.0",
		"supertest": "^4.0.2",
		"ts-jest": "^24.0.2",
		"typescript": "^3.6.2"
		}
		}
		"main": "index.js",
		"typings": "index.d.ts",
		"name": "x-xss-protection",
		"description": "Middleware to disable the X-XSS-Protection header",
		"version": "2.0.0",
		"keywords": [
		"express",
		"security",
		"x-xss-protection"
		]
		}

README.md

		@@ -1,33 +0,24 @@
		X-XSS-Protection middleware
		===========================
		[![Build Status](https://travis-ci.org/helmetjs/x-xss-protection.svg?branch=master)](https://travis-ci.org/helmetjs/x-xss-protection)
		# X-XSS-Protection middleware

		The `X-XSS-Protection` HTTP header is a basic protection against XSS. It was originally [by Microsoft](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) but Chrome has since adopted it as well.
		The `X-XSS-Protection` HTTP header aimed to offer a basic protection against cross-site scripting (XSS) attacks. _However, you probably should disable it_, which is what this middleware does.

		This middleware sets the `X-XSS-Protection` header. On modern browsers, it will set the value to `1; mode=block`. On old versions of Internet Explorer, this creates a vulnerability (see [here](http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) and [here](http://technet.microsoft.com/en-us/security/bulletin/MS10-002)), and so the header is set to `0` to disable it.
		Many browsers have chosen to remove it because of the unintended security issues it creates. Generally, you should protect against XSS with sanitization and a Content Security Policy. For more, read [this GitHub issue](https://github.com/helmetjs/helmet/issues/230).

		To use this middleware:
		This middleware sets the `X-XSS-Protection` header to `0`. For example:

		```javascript
		const xssFilter = require('x-xss-protection')
		app.use(xssFilter())
		```
		const xXssProtection = require("x-xss-protection");

		To force the header to be set to `1; mode=block` on all versions of IE, add the option:

		```javascript
		app.use(xssFilter({ setOnOldIE: true }))
		// This has some security problems for old IE!
		// Set "X-XSS-Protection: 0"
		app.use(xXssProtection());
		```

		You can also optionally configure a report URI, though the flag is [specific to Chrome-based browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection). This option will report the violation to the specified URI:
		If you truly need the legacy behavior, you can write your own simple middleware and avoid installing this module. For example:

		```javascript
		app.use(xssFilter({ reportUri: '/report-xss-violation' }))
		// NOTE: This is probably insecure!
		app.use((req, res, next) => {
		res.setHeader("X-XSS-Protection", "1; mode=block");
		next();
		});
		```

		To remove `mode=block` from the header, which isn't recommended, set the `mode` option to `null`:

		```javascript
		app.use(xssFilter({ mode: null }))
		```

dist/index.d.ts

dist/index.js

LICENSE

Sorry, the diff of this file is not supported yet

x-xss-protection - npm Package Compare versions

Fixed alerts

Improved metrics

Worsened metrics