Page Contents


Define application server-side settings in /server/config.json. For example here are the default settings:


  "restApiRoot": "/api",
  "host": "",
  "port": 3000,
  "remoting": {
    ... // See below
  "legacyExplorer": false

Top-level properties

The following table describes the properties you can configure.

Property Description Default


When an authenticated user is denied access because of an ACL, by default the application returns HTTP error status code 401 unauthorized. If you want instead to return 403 (forbidden) set the value here. This may be required, for example, when using an AngularJS interceptor to differentiate between the need to show an access denied/request access page instead of a login dialog.

Can also set this in the Model definition JSON file to define per-model.

What happened to this?


Host or IP address used to create the Node HTTP server. If a request comes to a different host or IP address, then the application won't accept the connection. See server.listen() for more information.

Set to false to disable old routes /models and /routes that are exposed, but no longer used by API Explorer; use true or omit the option to keep them enabled.

When upgrading to v2.14.0, set "legacyExplorer": false

port TCP port to use. 3000
remoting See Remoting properties below. N/A
restApiRoot Root URI of REST API /api

To access the settings in application code, use app.get('_property_').

You can also retrieve Express app object properties with this method. See app.get() in Express documentation for more information.

Remoting properties

Properties under the remoting top-level property determine how the application performs remote operations using strong-remoting; for example:

  "remoting": {
    "context": {
      "enableHttpContext": false
    "rest": {
      "normalizeHttpPath": false,
      "xml": false
    "json": {
      "strict": false,
      "limit": "100kb"
    "urlencoded": {
      "extended": true,
      "limit": "100kb"
    "cors": false,
    "errorHandler": {
      "disableStackTrace": false

The following table describes the remoting properties.

Property Type Description Default
cors Boolean If false, use the CORS settings in middleware.json. false
context.enableHttpContext Boolean Advanced feature. For more information, see Using current context. false
errorHandler.disableStackTrace Boolean

Set to true to disable stack traces; removes the stack property from the Error object.

Ignored when NODE_ENV is "production", when stack traces are always disabled.

json.limit String

Maximum request body size.

You can set other JSON propertis as well; see body-parser.json().

json.strict Boolean

Parse only objects and arrays.

You can set other JSON propertis as well; see body-parser.json().

rest.handleErrors Boolean If true (the default), then the REST adapter handles all errors by sending back a JSON-formatted error response. If false, then errors are passed to the top-level application error-handler. true
rest.handleUnknownPaths Boolean

If true (the default), then the REST adapter emits a 404 error for unknown paths. The REST error handler or the application error handler then handle this error; rest.handleErrors above.

If false, then the REST adapter delegates handling unknown paths to the top-level application by calling next().

rest.normalizeHttpPath Boolean

If true, in HTTP paths, converts:

  • Uppercase letters to lowercase.
  • Underscores (_) to dashes (-).
  • CamelCase to dash-delimited.

Does not affect placeholders (for example ":id").

For example, "MyClass" or "My_class" becomes "my-class".

rest.supportedTypes Array

List of content types that the API supports in HTTP responses.

The response type will match that specfied in the HTTP request "accepts" header, if it is in this list of supported types.

If this property is set, then rest.xml is ignored.

NOTE: 'application/vnd.api-json' is supported, but is not one of the default types.


rest.xml Boolean

If true, then 'xml' is added to the supported content types. Then, the API will then respond with XML when the HTTP request "accepts" type contains 'xml'.

urlencoded.extended Boolean

Parse extended syntax with the qs module.

For more information, see bodyParser.urlencoded().

urlencoded.limit String

Maximum request body size.

For more information, see bodyParser.urlencoded().


Environment-specific settings

You can override values that are set in config.json in:

  • config.local.js or config.local.json
  • config._env_.js or config._env_.json, where env is the value of NODE_ENV (typically development or production); so, for example config.production.json.

For example:


module.exports = {
  host: process.env.CUSTOM_HOST,
  port: process.env.CUSTOM_PORT

For more information, see Environment-specific configuration.