Initial commit

node_modules/x-xss-protection/README.md

@@ -0,0 +1,33 @@
+X-XSS-Protection middleware
+===========================
+[![Build Status](https://travis-ci.org/helmetjs/x-xss-protection.svg?branch=master)](https://travis-ci.org/helmetjs/x-xss-protection)
+
+The `X-XSS-Protection` HTTP header is a basic protection against XSS. It was originally [by Microsoft](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) but Chrome has since adopted it as well.
+
+This middleware sets the `X-XSS-Protection` header. On modern browsers, it will set the value to `1; mode=block`. On old versions of Internet Explorer, this creates a vulnerability (see [here](http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) and [here](http://technet.microsoft.com/en-us/security/bulletin/MS10-002)), and so the header is set to `0` to disable it.
+
+To use this middleware:
+
+```javascript
+const xssFilter = require('x-xss-protection')
+app.use(xssFilter())
+```
+
+To force the header to be set to `1; mode=block` on all versions of IE, add the option:
+
+```javascript
+app.use(xssFilter({ setOnOldIE: true }))
+// This has some security problems for old IE!
+```
+
+You can also optionally configure a report URI, though the flag is [specific to Chrome-based browsers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection). This option will report the violation to the specified URI:
+
+```javascript
+app.use(xssFilter({ reportUri: '/report-xss-violation' }))
+```
+
+To remove `mode=block` from the header, which isn't recommended, set the `mode` option to `null`:
+
+```javascript
+app.use(xssFilter({ mode: null }))
+```