1

I have been struggling to implement headers to my application, so I decided to copy some stack overflow code to be sure that I was not committing any typo:

addToHeader = function (req, res, next) {
    console.log("add to header called ... " + req.url);
    res.header('X-XSS-Protection', '0');
    next();
}

app.post('/processLogIn', addToHeader, async (req, res) => {
    console.log(req.headers)
    res.send()
})

Unfortunately, the problems persist since X-XSS-Protection does not appear in the headers:

{ host: 'localhost:3000',
  'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0',
  accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'accept-language': 'en-US,en;q=0.5',
  'accept-encoding': 'gzip, deflate',
  referer: 'http://localhost:3000/logIn',
  'content-type': 'application/x-www-form-urlencoded',
  'content-length': '53',
  dnt: '1',
  connection: 'keep-alive',
  cookie: 'io=ws5aQuqAjplpBAZyAAAA',
  'upgrade-insecure-requests': '1',
  'cache-control': 'max-age=0' }

Following the documentation and stack overflow, I changed res.header to set and append but they give the exact same result.

Also, I have express installed and implemented correctly (v. ^4.16.3)

const express = require('express')
let app = express();

With set:

addToHeader = function (req, res, next) {
    console.log("add to header called ... " + req.url);
    res.set('X-XSS-Protection', '0');
    next();
}

Output:

{ host: 'localhost:3000',
  'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0',
  accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'accept-language': 'en-US,en;q=0.5',
  'accept-encoding': 'gzip, deflate',
  referer: 'http://localhost:3000/logIn',
  'content-type': 'application/x-www-form-urlencoded',
  'content-length': '53',
  dnt: '1',
  connection: 'keep-alive',
  cookie: 'io=ws5aQuqAjplpBAZyAAAA',
  'upgrade-insecure-requests': '1',
  'cache-control': 'max-age=0' }
Xalsar
  • 83
  • 2
  • 11
  • 3
    You're logging _request_ headers, but setting _response_ headers. – robertklep Nov 27 '18 at 15:03
  • I thought they were the same, you send a header as a response, reload the page and get it as a request, no? @robertklep – Xalsar Nov 27 '18 at 15:13
  • 1
    No, that's not how it works. A browser/client will only send the headers that it deems to be relevant, custom headers (like your `X-XSS-Protection`) are typically just ignored (unless you have specific client-side code that sends along that header for each request). – robertklep Nov 27 '18 at 15:15

2 Answers2

2

The code you're using is wrong. Use .set().

res.set('X-XSS-Protection', '0');

https://expressjs.com/en/4x/api.html#res.set

Brad
  • 159,648
  • 54
  • 349
  • 530
  • I have the same result – Xalsar Nov 27 '18 at 15:03
  • 1
    @Xalsar See robertklep's comment above... you're logging request headers, not response headers. – Brad Nov 27 '18 at 15:08
  • I am confused, I thought they were the same, you send a header as a response, reload the page and get it as a request, no? @Brad – Xalsar Nov 27 '18 at 15:15
  • 1
    @Xalsar No! An HTTP request (from the browser to the server) has headers for things like identifying the browser, what hostname is being requested, the content type of any request body (like form data in your case), etc. A server response (from the server to the browser) to that request will contain its own headers, identifying the server version, the content type of the response body (the data in the actual response), usually a timestamp, caching instructions, and often more. They're completely unrelated. – Brad Nov 27 '18 at 15:18
0

If you're trying to set a response header and not an HTTP header, the above code is perfectly fine. I had the same problem, that's when I realized I was on the HTTP header tab and not the response header tab in Postman.

Let me know if this works. Thanks