Multi-Tier Security API

Build a Koa API server with route-specific security configurations that apply different security policies based on the sensitivity level of each endpoint.

@generates

Requirements

Your API server should have three route groups with distinct security requirements:

Public Routes

Routes under /public/* should have relaxed security suitable for public content:

• Allow images from any domain in Content Security Policy
• Allow inline styles ('unsafe-inline') in style sources
• Set frame embedding protection to allow same-origin
• Use HTTPS enforcement with 90-day maximum age (7776000 seconds)

API Routes

Routes under /api/* should have moderate security for API endpoints:

• Deny all frame embedding completely
• Use strict Content Security Policy allowing only same-origin resources
• Use HTTPS enforcement with 180-day maximum age (15552000 seconds) and include subdomains
• Disable DNS prefetching for privacy

Admin Routes

Routes under /admin/* should have maximum security for sensitive operations:

• Deny all frame embedding completely
• Use strict Content Security Policy with only 'self' sources (no unsafe-inline or unsafe-eval)
• Use HTTPS enforcement with 1-year maximum age (31536000 seconds), include subdomains, and enable preload
• Set referrer policy to send no referrer information
• Set cross-origin opener policy to same-origin isolation

Test Cases

• The server starts successfully and listens on a port @test
• Public route /public/content allows images from any source in CSP headers @test
• API route /api/data has frame-options set to DENY @test
• Admin route /admin/dashboard has HSTS max-age of at least 31536000 seconds @test

Implementation Notes

• Create a simple Koa application with the three route groups
• Each route group should apply appropriate security middleware configuration
• Routes should return simple text responses to indicate they're working
• The server should be exportable for testing purposes

API

/**
 * Creates and configures a Koa application with route-specific security
 * @returns {Object} Koa application instance
 */
function createApp() {
  // Implementation
}

module.exports = { createApp };

Dependencies { .dependencies }

koa { .dependency }

Provides the web framework for building the API server.

koa-helmet { .dependency }

Provides security header middleware with configurable options for different routes.

koa-router { .dependency }

Provides routing capabilities for organizing endpoints into different route groups.