Page Contents

Model REST APIs

By default, LoopBack models you create expose a  standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations. The public property in model-config.json specifies whether to expose the model’s REST APIs, for example:

/server/model-config.json

...
  "MyModel": {
    "public": true,
    "dataSource": "db"
  },
...

To “hide” the model’s REST API, simply change public to false.

Hiding properties

To hide a property of a model exposed over REST, define a hidden property. See Model definition JSON file (Hidden properties).

Disabling API Explorer

LoopBack API Explorer is great when you’re developing your application, but for security reasons you may not want to expose it in production.

For an application using loopback-component-explorer, to disable explorer in production:

  • Set the NODE_ENV environment variable to “production”.
  • Then in server/component-config.production.json:

server/component-config.production.json

{
  "loopback-component-explorer": null
}

CORS

LoopBack applications use the cors middleware package for cross-origin resource sharing (CORS), but it is disabled by default for applications created with the application generator.

To enable CORS, ensure that remoting.cors is set to false in server/config.json. This disables remoting-level CORS (used in earlier versions of LoopBack).

{
  ...
  "remoting": {
    ...
    "cors": false,  
    "handleErrors": false
  }
}

To configure CORS settings, edit the initial section in the server/middleware.json file:

{
  // ...
  "initial": {
    // ...
    "cors": {
      "params": {
        "origin": true,
        "credentials": true,
        "maxAge": 86400
      }
    }
  },
  // ...
}

For information on CORS configuration options, see middleware.json (CORS settings).

Enabling CORS on the client

If you are using a JavaScript client, you must also enable CORS on the client side. For example, one way to enable it with AngularJS is:

/client/app.js

var myApp = angular.module('myApp', [
    'myAppApiService']);

myApp.config(['$httpProvider', function($httpProvider) {
        $httpProvider.defaults.useXDomain = true;
        delete $httpProvider.defaults.headers.common['X-Requested-With'];
    }
]);

Mitigating XSS exploits

LoopBack stores the user’s access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. As a best practice to mitigate such threats, use appropriate Express middleware, for example:

See also: