Model REST APIs
By default, LoopBack models you create expose a
standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations.
The public property in model-config.json specifies whether to expose the model’s REST APIs, for example:
/server/model-config.json
...
"MyModel": {
"public": true,
"dataSource": "db"
},
...
To “hide” the model’s REST API, simply change public to false.
Hiding properties
To hide a property of a model exposed over REST, define a hidden property. See Model definition JSON file (Hidden properties).
Tip: hidden プロパティとprotected プロパティは微妙に異なります。
hiddendetermines whether a property is returned by a query directly against the model that contains the property.protecteddetermines whether a property is returned by a query against a model that has a relation to the model being queried.
詳細は、Hidden プロパティを参照ください。
Disabling API Explorer
LoopBack API Explorer is great when you’re developing your application, but for security reasons you may not want to expose it in production.
For an application using loopback-component-explorer, to disable explorer in production:
- Set the NODE_ENV environment variable to “production”.
- Then in
server/component-config.production.json:
server/component-config.production.json
{
"loopback-component-explorer": null
}
CORS
LoopBack applications use the cors middleware package for cross-origin resource sharing (CORS), but it is disabled by default for applications created with the application generator.
To enable CORS, ensure that remoting.cors is set to false in server/config.json. This disables remoting-level CORS (used in earlier versions of LoopBack).
{
...
"remoting": {
...
"cors": false,
"handleErrors": false
}
}
Tip: Projects scaffolded with a recent version StrongLoop/LoopBack tools already have remoting-level CORS disabled as shown above and the global CORS handler configured in server/middleware.json as shown below.
To configure CORS settings, edit the initial section in the server/middleware.json file:
{
// ...
"initial": {
// ...
"cors": {
"params": {
"origin": true,
"credentials": true,
"maxAge": 86400
}
}
},
// ...
}
For information on CORS configuration options, see middleware.json (CORS settings).
Enabling CORS on the client
If you are using a JavaScript client, you must also enable CORS on the client side. For example, one way to enable it with AngularJS is:
/client/app.js
var myApp = angular.module('myApp', [
'myAppApiService']);
myApp.config(['$httpProvider', function($httpProvider) {
$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];
}
]);
Mitigating XSS exploits
LoopBack stores the user’s access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. As a best practice to mitigate such threats, use appropriate Express middleware, for example:
Note: Standard scaffolded LoopBack 3.0 applications load a number of Helmet middleware functions, including xssFilter, frameguard, hsts, hidePoweredBy, ieNoOpen, noSniff, and noCache.
See also: