Secure API Server

Build a basic Koa web server that serves a REST API with proper security headers to protect against common web vulnerabilities.

Requirements

Your server should:

1. Create a Koa application and configure it with security middleware
2. Apply security middleware to set appropriate HTTP security headers for all routes
3. Implement two routes:
   • GET /api/status - Returns JSON: {"status": "ok"}
   • GET /api/info - Returns JSON: {"app": "secure-api", "version": "1.0.0"}

Security Requirements

The application must set HTTP security headers to protect against common vulnerabilities including:

• Cross-site scripting (XSS)
• Clickjacking attacks
• MIME type sniffing
• Cross-origin attacks

The security configuration should use sensible defaults appropriate for a production API server.

Test Cases

• When a request is made to /api/status, it returns status code 200 with JSON body {"status": "ok"} @test
• When a request is made to /api/info, it returns status code 200 with JSON body containing app name and version @test
• Response headers include X-Content-Type-Options set to nosniff @test
• Response headers include X-Frame-Options to prevent clickjacking @test

Implementation

@generates

API

// Create and configure a Koa application with security middleware
// Export the configured app (do not call app.listen() in this module)
module.exports = app;

Dependencies { .dependencies }

koa { .dependency }

Provides the web application framework.

koa-helmet { .dependency }

Provides security header middleware for Koa applications.