Model REST APIs
By default, LoopBack models you create expose a
standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations.
The public property in model-config.json specifies whether to expose the model’s REST APIs, for example:
/server/model-config.json
...
"MyModel": {
"public": true,
"dataSource": "db"
},
...
To “hide” the model’s REST API, simply change public to false.
Hiding properties
To hide a property of a model exposed over REST, define a hidden property. See Model definition JSON file (Hidden properties).
Disabling API Explorer
LoopBack API Explorer is great when you’re developing your application, but for security reasons you may not want to expose it in production.
For an application using loopback-component-explorer, to disable explorer in production:
- Set the NODE_ENV environment variable to “production”.
- Then in
server/component-config.production.json:
server/component-config.production.json
{
"loopback-component-explorer": null
}
Tip:
For an application using the old loopback-explorer (prior to version 2.0), disable API Explorer by deleting or renaming server/boot/explorer.js.
CORS
By default LoopBack enables Cross-origin resource sharing (CORS) using the cors package. Change the CORS settings in middleware.json.
If you are using a JavaScript client, you must also enable CORS on the client side. For example, one way to enable it with AngularJS is:
/client/app.js
var myApp = angular.module('myApp', [
'myAppApiService']);
myApp.config(['$httpProvider', function($httpProvider) {
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
}
]);
Deprecation of built-in CORS middleware
In preparation for the LoopBack 3.0 release, which removes the built-in CORS
middleware entirely, we have deprecated the built-in CORS middleware in
versions 2.x. Applications scaffolded by an older version of slc loopback
will print the following warning when the first request is served:
strong-remoting deprecated The built-in CORS middleware provided by REST adapter was deprecated. See https://docs.strongloop.com/display/public/LB/Security+considerations for more details.
To suppress the warning, you should disable the built-in CORS middleware in
your server/config.json by setting the property remoting.cors to false:
{
// ...
"remoting": {
// ...
"cors": false
}
}
If you would like to keep cross-site requests allowed, then you need to follow these additional steps:
-
npm install --save cors -
Edit the
initialsection in yourserver/middleware.jsonand add a configuration block forcorsmiddleware:{ // ... "initial": { // ... "cors": { "params": { "origin": true, "credentials": true, "maxAge": 86400 } } }, // ... }
Mitigating XSS exploits
LoopBack stores the user’s access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. As a best practice to mitigate such threats, use appropriate Express middleware, for example:
See also:
REVIEW COMMENT from Rand
- security concerns
- disabling the api explorer
- user defined models are exposed by default...
- link to creating an application - disabling api explorer section for more details
- acls to restrict access LINK to acl section
- disabling the api explorer