Custom Security Middleware Stack

Build a Koa application that implements a custom security middleware stack with different security policies for different route groups.

Requirements

Your application should have three route groups with distinct security configurations:

1. Public API Routes (/api/public/*)

These routes serve public data and need:

• MIME type sniffing prevention
• XSS filter configuration
• Referrer policy set to "no-referrer"

2. Admin Routes (/admin/*)

These routes require stricter security:

• All protections from public routes
• HSTS with a max age of 365 days and subdomain inclusion
• Frame protection to completely deny embedding

3. Content Routes (/content/*)

These routes serve user content and need:

• MIME type sniffing prevention
• Content Security Policy allowing images from any source but restricting scripts to same origin only
• DNS prefetch control disabled

Test Cases

• GET request to /api/public/data returns response with X-Content-Type-Options header set to nosniff @test
• GET request to /api/public/data returns response with Referrer-Policy header set to no-referrer @test
• GET request to /admin/dashboard returns response with Strict-Transport-Security header containing max-age=31536000 and includeSubDomains @test
• GET request to /admin/dashboard returns response with X-Frame-Options header set to DENY @test
• GET request to /content/images returns response with Content-Security-Policy header that allows images from any source @test

Implementation

@generates

API

/**
 * Creates and configures a Koa application with custom security middleware.
 * Returns the configured Koa app instance.
 */
function createApp() {
  // Implementation here
}

module.exports = { createApp };

Dependencies { .dependencies }

koa { .dependency }

Provides the web application framework.

@satisfied-by

koa-helmet { .dependency }

Provides security header middleware.

@satisfied-by

koa-router { .dependency }

Provides routing capabilities for different route groups.

@satisfied-by