Page Contents


By default, LoopBack models you create expose a  standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations. The public property in model-config.json specifies whether to expose the model’s REST APIs, for example:


  "MyModel": {
    "public": true,
    "dataSource": "db"

To “hide” the model’s REST API, simply change public to false.

Hiding properties

To hide a property of a model exposed over REST, define a hidden property. See Model definition JSON file (Hidden properties).

Disabling API Explorer

LoopBack API Explorer is great when you’re developing your application, but for security reasons you may not want to expose it in production.

For an application using loopback-component-explorer, to disable explorer in production:

  • Set the NODE_ENV environment variable to “production”.
  • Then in server/component-config.production.json:


  "loopback-component-explorer": null


By default LoopBack enables Cross-origin resource sharing (CORS) using the cors package. Change the CORS settings in middleware.json.

If you are using a JavaScript client, you must also enable CORS on the client side. For example, one way to enable it with AngularJS is:


var myApp = angular.module('myApp', [

myApp.config(['$httpProvider', function($httpProvider) {
        $httpProvider.defaults.useXDomain = true;
        delete $httpProvider.defaults.headers.common['X-Requested-With'];

Deprecation of built-in CORS middleware

In preparation for the LoopBack 3.0 release, which removes the built-in CORS middleware entirely, we have deprecated the built-in CORS middleware in versions 2.x. Applications scaffolded by an older version of slc loopback will print the following warning when the first request is served:

strong-remoting deprecated The built-in CORS middleware provided by REST adapter was deprecated. See for more details.

To suppress the warning, you should disable the built-in CORS middleware in your server/config.json by setting the property remoting.cors to false:

  // ...
  "remoting": {
    // ...
    "cors": false

If you would like to keep cross-site requests allowed, then you need to follow these additional steps:

  1. npm install --save cors

  2. Edit the initial section in your server/middleware.json and add a configuration block for cors middleware:

      // ...
      "initial": {
        // ...
        "cors": {
          "params": {
            "origin": true,
            "credentials": true,
            "maxAge": 86400
      // ...

Mitigating XSS exploits

LoopBack stores the user’s access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. As a best practice to mitigate such threats, use appropriate Express middleware, for example:

See also:


  • security concerns
    • disabling the api explorer
      • user defined models are exposed by default...
      • link to creating an application - disabling api explorer section for more details
    • acls to restrict access LINK to acl section