Model REST APIs
By default, LoopBack models you create expose a
standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations.
The public
property in model-config.json specifies whether to expose the model’s REST APIs, for example:
...
"MyModel": {
"public": true,
"dataSource": "db"
},
...
To “hide” the model’s REST API, simply change public
to false
.
Hiding properties
To hide a property of a model exposed over REST, define a hidden property. See Model definition JSON file (Hidden properties).
Tip: Hidden and protected properties are subtly different.
hidden
determines whether a property is returned by a query directly against the model that contains the property.protected
determines whether a property is returned by a query against a model that has a relation to the model being queried.
For more information, see Hidden properties.
Disabling API Explorer
LoopBack API Explorer is great when you’re developing your application, but for security reasons you may not want to expose it in production.
For an application using loopback-component-explorer, to disable explorer in production:
- Set the NODE_ENV environment variable to “production”.
- Then in
server/component-config.production.json
:
{
"loopback-component-explorer": null
}
CORS
LoopBack applications use the cors middleware package for cross-origin resource sharing (CORS), but it is disabled by default for applications created with the application generator.
To enable CORS, ensure that remoting.cors
is set to false
in server/config.json
. This disables remoting-level CORS (used in earlier versions of LoopBack).
{
...
"remoting": {
...
"cors": false,
"handleErrors": false
}
}
Tip: Projects scaffolded with a recent version StrongLoop/LoopBack tools already have remoting-level CORS disabled as shown above and the global CORS handler configured in server/middleware.json
as shown below.
To configure CORS settings, edit the initial
section in the server/middleware.json
file:
{
// ...
"initial": {
// ...
"cors": {
"params": {
"origin": true,
"credentials": true,
"maxAge": 86400
}
}
},
// ...
}
For information on CORS configuration options, see middleware.json (CORS settings).
Enabling CORS on the client
If you are using a JavaScript client, you must also enable CORS on the client side. For example, one way to enable it with AngularJS is:
var myApp = angular.module('myApp', [
'myAppApiService']);
myApp.config(['$httpProvider', function($httpProvider) {
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
}
]);
Mitigating XSS exploits
LoopBack stores the user’s access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. As a best practice to mitigate such threats, use appropriate Express middleware, for example:
Note: Standard scaffolded LoopBack 3.0 applications load a number of Helmet middleware functions, including xssFilter, frameguard, hsts, hidePoweredBy, ieNoOpen, noSniff, and noCache.
See also: