Chinese Documentation : Security considerations

Model REST APIs

By default, LoopBack models you create expose a standard set of HTTP endpoints for create, read, update, and delete (CRUD) operations. The public property in model-config.json specifies whether to expose the model's REST APIs, for example:

/server/model-config.json
...
  "MyModel": {
    "public": true,
    "dataSource": "db"
  },
...

To "hide" the model's REST API, simply change public to false.

Disabling API Explorer

LoopBack API Explorer is great when you're developing your application, but for security reasons you may not want to expose it in production.  To disable API Explorer entirely, if you created your application with the Application generator, simply delete or rename server/boot/explorer.js

CORS

By default LoopBack enables Cross-origin resource sharing (CORS).

If you are using a JavaScript client, you must also enable CORS on the client side.  For example, one way to enable it with AngularJS is:

/client/app.js
var myApp = angular.module('myApp', [
    'myAppApiService']);

myApp.config(['$httpProvider', function($httpProvider) {
        $httpProvider.defaults.useXDomain = true;
        delete $httpProvider.defaults.headers.common['X-Requested-With'];
    }
]);

Mitigating XSS exploits

LoopBack stores the user's access token in a JavaScript object, which may make it susceptible to a cross-site scripting (XSS) security exploit.  As a best practice to mitigate such threats, use appropriate Express middleware, for example:

See also Express 3.x csrf() function.

REVIEW COMMENT from Rand
  • security concerns
    • disabling the api explorer
      • user defined models are exposed by default...
      • link to creating an application - disabling api explorer section for more details
    • acls to restrict access LINK to acl section