admin管理员组

文章数量:1136163

I have many of these "controllers": 

app.get('/',function(req,res){
    var stuff = { 'title': 'blah' };
    res.render('mytemplate',stuff);
});

Notice res.render? I want to add this header to every response header I make:

X-XSS-Protection: 0

How can I add that response header automatically?

I have many of these "controllers": 

app.get('/',function(req,res){
    var stuff = { 'title': 'blah' };
    res.render('mytemplate',stuff);
});

Notice res.render? I want to add this header to every response header I make:

X-XSS-Protection: 0

How can I add that response header automatically?

  • javascript
  • node.js
  • http
  • express
  • url
Share Improve this question edited May 22, 2017 at 10:39 Sebastian 1,8203 gold badges18 silver badges32 bronze badges asked Jul 12, 2011 at 8:04 TIMEXTIMEX 271k366 gold badges799 silver badges1.1k bronze badges
Add a comment  | 

7 Answers 7

Reset to default 84

You probably want to use app.use with your own middleware:

app.use(function(req, res, next) {
    res.header('X-XSS-Protection', 0);
    next();
});

// global controller
app.get('/*',function(req,res,next){
    res.header('X-XSS-Protection' , 0 );
    next(); // http://expressjs.com/guide.html#passing-route control
});

Just make sure this is the first controller you add, order is significant.

For express 4.x, the idiomatic way is as follows:

Implementation

// no mount path; executed for every request.
app.use(function (req, res, next) {
  res.set('X-XSS-Protection', 0);
  next();
});

Test

describe('Response Headers', function () {
  it('responds with header X-XSS-Protection: 0', function (done) {
    hippie(app)
    .get('/any/route/you/can/think/of')
    .expectHeader('X-XSS-Protection', 0)
    .end(done);
  });
});

Dev Dependencies (for tests to work)

% npm install --save-dev mocha hippie

Relevant Documentation

  • Application Level Middleware
  • res.set

you could create your own middleware method like so:

addToHeader = function (req, res, next) {
  console.log("add to header called ... " + req.url);
  res.header('X-XSS-Protection', '0');
  next();
}

and then change your routes to sth like this:

app.get('/', addToHeader, function(req,res){
  var stuff = { 'title': 'blah' };
  res.render('mytemplate',stuff);
});

should work.

Use a middleware...

app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
  next()
})

But make sure you use it before your API method. Like this:

const app = express()

// middleware
app.use(function (req, res, next) {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
  next()
})

// api
app.get('/user', (req, res, next) => {
  service.doSomething
    .then(data => res.send(data))
    .catch(next)
})

app.use(handleError)

Took me a while to figure it out. I didn't see it mentioned anywhere so adding this to complement previous answers.

I find that another good place to inject default headers is during the Routing Middleware. This way, all routes controlled by the router instance will receive the headers.

For example:

//...
var router = express.Router();

// middleware for all routes
router.use(function(req, res, next) {
  // inject default headers
  res.header('cache-control', 'private, max-age=0');
  res.header('expires', new Date(Date.now()).toUTCString());
  next();
});

// all routes below will now inherit 
// the middleware's default headers
router.get('/users', function(req, res){
   // I will return the user list, with default headers
   // ...
});

I'd like to point out that none of these answer actually answer the question; the question is specifically relating to render responses; e.g. for an app like:

const router = require('express').Router();
router.use('/test.json', (req, res) => res.json({ test: 'hi' });
router.use('/test.html', (req, res) => res.render('test'));

It's not clear how to add headers (e.g. CSP headers, which can be very verbose) only to your HTML responses. Express doesn't have a hook to specifically do that. The only option at the moment is to organize your code so you don't have to, e.g.

app.use(jsonRouter);
app.use(htmlRouter);

...which allows you to do as some of the other answers suggest, and add generic middleware for setting the headers.

本文标签:

版权声明:本文标题:javascript - In Node.jsExpress, how do I automatically add this header to every "render" response? - Stack Ove 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736952380a1957478.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。