I'm using Express. How do I disable JSONP for specific routes?

Looking at res.json(), it appears there's no explicit setting to disable JSONP per-route – it only checks the global app setting jsonp callback.

You could simply clear the value of req.query.callback before calling res.json() in any route you don't want to work via JSONP. As a middleware function:

function noJSONP(req, res, next) {
    delete req.query.callback;
    next();
}

Now you can just do this:

app.get('/something/sensitive', noJSONP, function(req, res) {
    // ...
});