This repository has been archived by the owner on Mar 10, 2019. It is now read-only.

JSON hijacking prevention for Express

This middleware adds res.safejson to help prevent JSON hijacking. You can read about JSON hijacking attacks here and here.

First, install it:

npm install express-json-hijack-prevention

Next, use it in your Express application:

var express = require('express');
var jsonHijackPrevention = require('express-json-hijack-prevention');

var app = express();

app.use(jsonHijackPrevention());

// Responds with this:
// while(1);{"numbers":[1,2,3]}
app.get('/response', function(req, res) {
  res.safejson({
    numbers: [1, 2, 3]
  });
});

When parsing these JSON responses, make sure to skip the prefix:

var parsed = JSON.parse(serverResponse.substr(9));

If you want to change the prefix:

app.use(jsonHijackPrevention({ prepend: "foo bar" }));