How to block Google's FLoC tracking with Express

, posted

This post assumes you know what Google’s FLoC tracking is.

This post is meant for people who want to copy-paste something and be done. See the “Notes” section below for more details.

Google is rolling out an experimental and controversial ad targeting technology called FLoC, short for “Federated Learning of Cohorts”. If you want to block Google from doing this to the users of your Express application, read on.

Option 1: write a short middleware

You can block FLoC with a four-line middleware function. Here’s what it might look like in an Express app:

app.use((req, res, next) => {
  res.setHeader("Permissions-Policy", "interest-cohort=()");

As you can see, all you need to do is set the Permissions-Policy HTTP response header to a specific value and you’re done. (If you’re already setting the Permissions-Policy header, see the “Notes” section below.)

To make sure this header is set for all of your responses, put this right after creating the app with express(). (You can be more judicious about where you set this if you want. See the “Notes” section below.)

If you’re using TypeScript, here’s what that might look like:

import * as http from "http";

// ...

    _req: http.IncomingMessage,
    res: http.ServerResponse,
    next: () => void
  ) => {
    res.setHeader("Permissions-Policy", "interest-cohort=()");

Option 2: use a package

Many JavaScript developers love to install packages even for the smallest tasks. If you’re one of these people, you can use the floc-block package (which I maintain).

First, install the package with npm install floc-block. Then, in your app:

const flocBlock = require("floc-block");

// ...


Like the option above, I generally recommend putting this right after creating the app with express(). That ensures the value is set for all responses.

Also like above, this middleware sets the Permissions-Policy HTTP response header. In fact, the code is nearly identical to the option above.

This project works with TypeScript and JavaScript, and is basically identical to Option 1 except someone else (me) wrote those four lines.