Legacy XSS Protection Header Middleware

A Koa middleware that adds security headers to disable legacy XSS filtering in browsers.

Background

Modern browsers once included built-in XSS filters that attempted to detect and block cross-site scripting attacks. However, these filters were found to have security vulnerabilities of their own and could be exploited. The current best practice is to explicitly disable these legacy XSS filters using HTTP headers.

Requirements

Create a Koa middleware application that:

1. Sets up a basic Koa server that listens on a configurable port
2. Applies security middleware to disable legacy browser XSS filters on all routes
3. Includes a simple health check endpoint at /health that returns a JSON response with { status: "ok" }
4. Includes a content endpoint at /api/content that returns JSON data { message: "Hello, World!" }

The middleware should ensure that responses include the appropriate security header to disable legacy XSS filtering mechanisms in older browsers.

Implementation

@generates

API

// Server should export a function to start the server
// Returns the server instance
function startServer(port) {
  // IMPLEMENTATION HERE
}

module.exports = { startServer };

Test Cases

• The server starts successfully on the specified port @test
• The /health endpoint returns { status: "ok" } with 200 status @test
• The /api/content endpoint returns the expected JSON message @test
• The response headers include the appropriate security header to disable legacy XSS filters @test

Dependencies { .dependencies }

koa { .dependency }

Provides the web application framework.

koa-helmet { .dependency }

Provides security middleware for setting HTTP headers.