
Security Fundamentals
Turtles, Clams, and Cyber Threat Actors: Shell Usage
The Socket Threat Research Team uncovers how threat actors weaponize shell techniques across npm, PyPI, and Go ecosystems to maintain persistence and exfiltrate data.
@clocklimited/cf-api
Advanced tools
A pluggable JSON API server
This is CatfishApi but without all of the bloat and a simple API to register plugins. Everything becomes a plugin.
npm install --save cf-api
var createApi = require('cf-api')
var api = createApi(options)
server = api.initialize()
server.get('/', homepage)
server.post('/form', submit)
// This tells the api that you've finished adding your routes
// and you now want it to add the error handling middleware
server.emit('preBoot')
server.listen(port)
Create an API instance. There are options available:
checkOrigin
- a function with the signature function (url, cb) {}
to check req.headers.origin
. cb(null, true)
to allow and origin
, cb(null, false)
to deny an origin. Defaults to cb(null, true)
for all requests, meaning all cross-domain requests are allowed. It is up to the user to implement their whitelist/blacklist.logger
- a logger object with methods debug()
, info()
, warn()
and error()
(default: console
).maxBodySize
- an option to be passed along to the body-parser json middleware function. If this is a number it will be the number of bytes, otherwise it will be parsed by the bytes module (default: undefined
which falls back to the body parser default of '100kB'
).initialMiddleware
- an Express middleware function that will be used before all other middleware. Useful for Sentry error handlers.corsOptions
- an object with the following keys:
exposeHeaders
- sets Access-Control-Expose-Headers
For backwards compatibility, the allowedDomains
option still works and generates a checkOrigin
function for you.
Create and return the server.
Access-Control-Allow-Credentials
is now set to true
express
is now installed as a peer dependencyserver.emit('preBoot')
after all routes have been added to make tell the api to add the last piece of middleware: the error handler. This is due to a change in Express 4.checkOrigin
option in place of allowedDomains
. Latter is still supported for compatibility.Built by developers at Clock.
Licensed under the New BSD License
FAQs
A pluggable JSON API server
The npm package @clocklimited/cf-api receives a total of 52 weekly downloads. As such, @clocklimited/cf-api popularity was classified as not popular.
We found that @clocklimited/cf-api demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security Fundamentals
The Socket Threat Research Team uncovers how threat actors weaponize shell techniques across npm, PyPI, and Go ecosystems to maintain persistence and exfiltrate data.
Security News
At VulnCon 2025, NIST scrapped its NVD consortium plans, admitted it can't keep up with CVEs, and outlined automation efforts amid a mounting backlog.
Product
We redesigned our GitHub PR comments to deliver clear, actionable security insights without adding noise to your workflow.