In Node.js/Express, how do I automatically add this header to every "render" response?

Question

I have many of these "controllers":

app.get('/',function(req,res){
    var stuff = { 'title': 'blah' };
    res.render('mytemplate',stuff);
});

Notice res.render? I want to add this header to every response header I make:

X-XSS-Protection: 0

How can I add that response header automatically?

score 84 · Answer 1 · answered Jul 04 '13 at 22:56

84

You probably want to use app.use with your own middleware:

app.use(function(req, res, next) {
    res.header('X-XSS-Protection', 0);
    next();
});

answered Jul 04 '13 at 22:56

Francesc Rosas

5,915
2
30
16

4

This is what everyone should be using now. – Jonathan Cremin Feb 11 '14 at 18:10
4

Yes, this is the way to go in Express 4. Always use `app.use` – Tony Jul 17 '14 at 21:50
1

Much better than the excepted answer. – Luke Aug 25 '16 at 20:39
1

Note `res.set` [is an alias](http://expressjs.com/en/api.html#res.set) is the function for which the method used here -- `res.header` -- is an alias – Nate Anderson Jan 27 '18 at 03:14

score 78 · Accepted Answer · answered Jul 12 '11 at 08:30

78

// global controller
app.get('/*',function(req,res,next){
    res.header('X-XSS-Protection' , 0 );
    next(); // http://expressjs.com/guide.html#passing-route control
});

Just make sure this is the first controller you add, order is significant.

answered Jul 12 '11 at 08:30

BGerrissen

21,250
3
39
40

1

aahh, this one seems even better – Philipp Kyeck Jul 12 '11 at 08:32
if you really want to add the header argument to all calls this is way shorter than to add the middleware call to every route. – Philipp Kyeck Jul 12 '11 at 08:38
So by adding this as the first controller, all my other controllers will have that header inside their response? – TIMEX Jul 12 '11 at 11:58
Afaik yes, so it's possible to route a response through several controllers. – BGerrissen Jul 12 '11 at 12:32
1

This is out of date now, see below. – brandones Sep 21 '17 at 09:03
What does the `next()` function call do? It works without it, so I was just kind of curious – Nov 29 '17 at 05:38
Plz look into this: https://stackoverflow.com/questions/69409586/how-to-make-a-get-call-to-api-github-with-express-server – Tanzeel Oct 01 '21 at 17:02

score 15 · Answer 3 · answered Dec 05 '14 at 04:16

For express 4.x, the idiomatic way is as follows:

Implementation

// no mount path; executed for every request.
app.use(function (req, res, next) {
  res.set('X-XSS-Protection', 0);
  next();
});

Test

describe('Response Headers', function () {
  it('responds with header X-XSS-Protection: 0', function (done) {
    hippie(app)
    .get('/any/route/you/can/think/of')
    .expectHeader('X-XSS-Protection', 0)
    .end(done);
  });
});

Dev Dependencies (for tests to work)

% npm install --save-dev mocha hippie

Relevant Documentation

score 7 · Answer 4 · answered Jul 12 '11 at 08:31

you could create your own middleware method like so:

addToHeader = function (req, res, next) {
  console.log("add to header called ... " + req.url);
  res.header('X-XSS-Protection', '0');
  next();
}

and then change your routes to sth like this:

app.get('/', addToHeader, function(req,res){
  var stuff = { 'title': 'blah' };
  res.render('mytemplate',stuff);
});

should work.

Evandro Pomatti · Answer 5 · 2019-06-22T22:18:20.973

Use a middleware...

app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
  next()
})

But make sure you use it before your API method. Like this:

const app = express()

// middleware
app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
  next()
})

// api
app.get('/user', (req, res, next) => {
  service.doSomething
    .then(data => res.send(data))
    .catch(next)
})

app.use(handleError)

Took me a while to figure it out. I didn't see it mentioned anywhere so adding this to complement previous answers.

can you plz look into this: https://stackoverflow.com/questions/69409586/how-to-make-a-get-call-to-api-github-with-express-server — Tanzeel, Oct 01 '21 at 17:03

score 3 · Answer 6 · answered Sep 12 '15 at 00:06

I find that another good place to inject default headers is during the Routing Middleware. This way, all routes controlled by the router instance will receive the headers.

For example:

//...
var router = express.Router();

// middleware for all routes
router.use(function(req, res, next) {
  // inject default headers
  res.header('cache-control', 'private, max-age=0');
  res.header('expires', new Date(Date.now()).toUTCString());
  next();
});

// all routes below will now inherit 
// the middleware's default headers
router.get('/users', function(req, res){
   // I will return the user list, with default headers
   // ...
});

score 1 · Answer 7 · answered Jul 26 '16 at 01:08

I'd like to point out that none of these answer actually answer the question; the question is specifically relating to render responses; e.g. for an app like:

const router = require('express').Router();
router.use('/test.json', (req, res) => res.json({ test: 'hi' });
router.use('/test.html', (req, res) => res.render('test'));

It's not clear how to add headers (e.g. CSP headers, which can be very verbose) only to your HTML responses. Express doesn't have a hook to specifically do that. The only option at the moment is to organize your code so you don't have to, e.g.

app.use(jsonRouter);
app.use(htmlRouter);

...which allows you to do as some of the other answers suggest, and add generic middleware for setting the headers.

I think this answer was the answer we both were looking for: https://stackoverflow.com/a/48448925/6814172 — Emilio, Jan 25 '18 at 19:07

In Node.js/Express, how do I automatically add this header to every "render" response?

7 Answers7

Implementation

Test

Dev Dependencies (for tests to work)

Relevant Documentation

Linked