put these lines in your server.js
const Koa = require('koa');
const path = require('path');
const koaApp = module.exports = new Koa();
const config = require('./config');
const App = require('@emartech/boar-koa-server').app;
const app = new App(koaApp);
app.loadControllers(path.join(config.root, 'controllers'));
if (!module.parent) { app.listen(config.port); } const cors = require('koa-cors');
const app = new App(koaApp);
app.addMiddleware(cors());Cors Support (@koa/cors)
app.addCorsSupportMiddleware();Allowed settings :
app.addCorsSupportMiddleware({
allowOrigin: '*', // `Access-Control-Allow-Origin`, * or a regex to filter allowed origins (for instance /emarsys.(com|net)$/)
allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH', // `Access-Control-Allow-Methods`
});Access-Control-Allow-Origin header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware.
Since version 2.0.0, the package is based @koa/[email protected] which
disables this behavior.
It is highly recommended to specify a list of allowed origins.
Method Override (koa-methodoverwrite)
app.addMethodOverrideMiddleware();Body Parse (koa-bodyparser)
| Param | Type | Description |
|---|---|---|
| options | Object |
More info. |
app.addBodyParseMiddleware(options);Request Id (koa-requestid)
| Param | Type | Description |
|---|---|---|
| options | Object |
optional |
| ↳header | String |
The name of the header to read the id on the request, false to disable. |
| ↳query | String |
The name of the header to read the id on the query string, false to disable. |
| ↳expose | String |
The name of the header to expose the id on the response, false to disable. |
app.addRequestIdmiddleware(options);Enforce SSL (koa-ssl)
| Param | Type | Description |
|---|---|---|
| options | Object |
More info. |
app.addEnforceSSLMiddleware();If your application is running behind reverse proxy (like Heroku) you should set the trustProxy configuration option to true in order to process the x-forwarded-proto header.
const app = new App(koaApp);
app.addEnforceSSLMiddleware({ trustProxy: true });Note: if you use this middleware EnforceSSL middleware should be the first you add.
Provides middlewares for setting up various security related HTTP headers.
| Param | Type | Description |
|---|---|---|
| options | Object |
|
| ↳csp | Object |
More info. Learn more: CSP quick reference |
| ↳hsts | Object |
More info. Learn more: OWASP HSTS page |
| ↳useXssFilter | Boolean |
If true, x-xss-protection middleware will be included. Default: true |
| ↳useNoSniff | Boolean |
If true, dont-sniff-mimetype middleware will be included. Default: true |
| ↳referrerPolicy | Boolean,Object |
If{ policy: 'same-origin'}, referrer-policy middleware will be included. Default false |
app.addSecurityMiddlewares(options); {
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'"],
imgSrc: ["'self'"],
frameAncestors: ["'self'"],
reportUri: 'about:blank'
},
reportOnly: true
},
hsts: {
maxAge: 30,
includeSubDomains: true,
preload: false
},
useXssFilter: true,
useNoSniff: true,
referrerPolicy: false
} var ControllerFactory = require('@emartech/boar-koa-server').lib.controllerFactory;
module.exports = ControllerFactory.create(function(router) {
router.get('/', ControllerFactory.load('main/actions/get'));
router.get('/healthcheck', ControllerFactory.load('main/actions/healthcheck/get'));
router.get('/list', ControllerFactory.loadByAcceptType('main/actions/list/get'));
});