hpp

hpp (HTTP Parameter Pollution) is an Express middleware that protects against HTTP Parameter Pollution attacks by selecting the last parameter value when multiple values are provided for the same parameter. HTTP parameter pollution occurs when an attacker sends multiple values for the same query or body parameter (e.g., ?color=red&color=blue), which different parts of the application stack may interpret differently — the web application firewall might check the first value while the application uses the last, allowing attackers to bypass security filters. hpp puts query and body parameters into req.query and req.body as expected single values, moving duplicate parameters to req.query.pollution and req.body.pollution for inspection. The middleware can be configured with a whitelist of parameters that are legitimately expected to have multiple values (like checkbox groups or multi-select fields). hpp is a lightweight middleware that adds minimal overhead and is typically used alongside helmet and cors as part of a comprehensive Express security middleware stack. While HPP attacks are less common than XSS or CSRF, they can be used to bypass input validation and WAF rules, making hpp a worthwhile defense-in-depth measure for security-conscious applications.