put these lines in your server.js
const Koa = require('koa');
const path = require('path');
const koaApp = module.exports = new Koa();
const config = require('./config');
const App = require('@emartech/boar-koa-server').app;
const app = new App(koaApp);
app.loadControllers(path.join(config.root, 'controllers'));
if (!module.parent) { app.listen(config.port); }
const cors = require('koa-cors');
const app = new App(koaApp);
app.addMiddleware(cors());
Cors Support (@koa/cors)
app.addCorsSupportMiddleware();
Allowed settings :
app.addCorsSupportMiddleware({
allowOrigin: '*', // `Access-Control-Allow-Origin`, * or a regex to filter allowed origins (for instance /emarsys.(com|net)$/)
allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH', // `Access-Control-Allow-Methods`
});
Access-Control-Allow-Origin
header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware.
Since version 2.0.0
, the package is based @koa/[email protected]
which
disables this behavior.
It is highly recommended to specify a list of allowed origins.
Method Override (koa-methodoverwrite)
app.addMethodOverrideMiddleware();
Body Parse (koa-bodyparser)
Param | Type | Description |
---|---|---|
options | Object |
More info. |
app.addBodyParseMiddleware(options);
Request Id (koa-requestid)
Param | Type | Description |
---|---|---|
options | Object |
optional |
↳header | String |
The name of the header to read the id on the request, false to disable. |
↳query | String |
The name of the header to read the id on the query string, false to disable. |
↳expose | String |
The name of the header to expose the id on the response, false to disable. |
app.addRequestIdmiddleware(options);
Enforce SSL (koa-ssl)
Param | Type | Description |
---|---|---|
options | Object |
More info. |
app.addEnforceSSLMiddleware();
If your application is running behind reverse proxy (like Heroku) you should set the trustProxy configuration option to true in order to process the x-forwarded-proto header.
const app = new App(koaApp);
app.addEnforceSSLMiddleware({ trustProxy: true });
Note: if you use this middleware EnforceSSL middleware should be the first you add.
Provides middlewares for setting up various security related HTTP headers.
Param | Type | Description |
---|---|---|
options | Object |
|
↳csp | Object |
More info. Learn more: CSP quick reference |
↳hsts | Object |
More info. Learn more: OWASP HSTS page |
↳useXssFilter | Boolean |
If true , x-xss-protection middleware will be included. Default: true |
↳useNoSniff | Boolean |
If true , dont-sniff-mimetype middleware will be included. Default: true |
↳referrerPolicy | Boolean,Object |
If{ policy: 'same-origin'} , referrer-policy middleware will be included. Default false |
app.addSecurityMiddlewares(options);
{
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'"],
imgSrc: ["'self'"],
frameAncestors: ["'self'"],
reportUri: 'about:blank'
},
reportOnly: true
},
hsts: {
maxAge: 30,
includeSubDomains: true,
preload: false
},
useXssFilter: true,
useNoSniff: true,
referrerPolicy: false
}
var ControllerFactory = require('@emartech/boar-koa-server').lib.controllerFactory;
module.exports = ControllerFactory.create(function(router) {
router.get('/', ControllerFactory.load('main/actions/get'));
router.get('/healthcheck', ControllerFactory.load('main/actions/healthcheck/get'));
router.get('/list', ControllerFactory.loadByAcceptType('main/actions/list/get'));
});