Clickjacking Protection Server

Build a Koa web application that implements configurable clickjacking protection.

Requirements

Your application should:

1. Create a Koa web server that listens on port 3000
2. Implement clickjacking protection based on an environment variable FRAME_POLICY:
   • strict: Deny all frame embedding
   • same-origin: Allow embedding only from same origin (default behavior)
   • disabled: Skip clickjacking protection entirely
3. Include a /health endpoint that returns JSON: { status: 'ok' }

Implementation

@generates

Capabilities

Clickjacking Protection Configuration

• When FRAME_POLICY is 'strict', the response includes X-Frame-Options header set to 'DENY' @test
• When FRAME_POLICY is 'same-origin', the response includes X-Frame-Options header set to 'SAMEORIGIN' @test
• When FRAME_POLICY is 'disabled', the response does not include any X-Frame-Options header @test

Health Check Endpoint

• The /health endpoint returns status 200 with JSON body { status: 'ok' } @test

API

/**
 * Creates and configures a Koa application with clickjacking protection
 * @returns {object} Configured Koa app instance
 */
function createApp() {
  // Implementation here
}

/**
 * Starts the server on the specified port
 * @param {number} port - Port to listen on
 * @returns {object} HTTP server instance
 */
function startServer(port) {
  // Implementation here
}

module.exports = { createApp, startServer };

Dependencies { .dependencies }

koa { .dependency }

Provides web application framework for Node.js

@satisfied-by

koa-helmet { .dependency }

Provides security header middleware including clickjacking protection

@satisfied-by