Model REST APIs
By default, LoopBack models you create expose a standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations. The public
property in model-config.json specifies whether to expose the model's REST APIs, for example:
... "MyModel": { "public": true, "dataSource": "db" }, ...
To "hide" the model's REST API, simply change public
to false
.
Disabling API Explorer
LoopBack API Explorer is great when you're developing your application, but for security reasons you may not want to expose it in production. To disable API Explorer entirely, if you created your application with the Application generator, simply delete or rename server/boot/explorer.js
.
CORS
By default LoopBack enables Cross-origin resource sharing (CORS).
If you are using a JavaScript client, you must also enable CORS on the client side. For example, one way to enable it with AngularJS is:
var myApp = angular.module('myApp', [ 'myAppApiService']); myApp.config(['$httpProvider', function($httpProvider) { $httpProvider.defaults.useXDomain = true; delete $httpProvider.defaults.headers.common['X-Requested-With']; } ]);
Mitigating XSS exploits
LoopBack stores the user's access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit. As a best practice to mitigate such threats, use appropriate Express middleware, for example:
See also Express 3.x csrf() function.
- security concerns
- disabling the api explorer
- user defined models are exposed by default...
- link to creating an application - disabling api explorer section for more details
- acls to restrict access LINK to acl section
- disabling the api explorer