kempo-server 1.3.0 → 1.4.3

package/.github/copilot-instructions.md

@@ -0,0 +1,96 @@
+# Code Contribution Guidelines
+
+## Coding Style Guidelines
+
+### Code Organization
+Use multi-line comments to separate code into logical sections. Group related functionality together.
+  - Example: In Lit components, group lifecycle callbacks, event handlers, public methods, utility functions, and rendering logic separately.
+
+```javascript
+/*
+  Lifecycle Callbacks
+*/
+```
+
+### Avoid single-use variables/functions
+Avoid defining a variable or function to only use it once; inline the logic where needed. Some exceptions include:
+  - recursion
+  - scope encapsulation (IIFE)
+  - context changes
+
+### Minimal Comments, Empty Lines, and Spacing
+
+Use minimal comments. Assume readers understand the language. Some exceptions include:
+  - complex logic
+  - anti-patterns
+  - code organization
+
+Do not put random empty lines within code; put them where they make sense for readability, for example:
+  - above and below definitions for functions and classes.
+  - to help break up large sections of logic to be more readable. If there are 100 lines of code with no breaks, it gets hard to read.
+  - above multi-line comments to indicate the comment belongs to the code below
+
+No  empty lines in css.
+
+End each file with an empty line.
+
+End each line with a `;` when possible, even if it is optional.
+
+Avoid unnecessary spacing, for example:
+  - after the word `if`
+  - within parentheses for conditional statements
+
+```javascript
+let count = 1;
+
+const incrementOdd = (n) => {
+  if(n % 2 !== 0){
+    return n++;
+  }
+  return n;
+};
+
+count = incrementOdd(count);
+```
+
+### Prefer Arrow Functions
+Prefer the use of arrow functions when possible, especially for class methods to avoid binding. Use normal functions if needed for preserving the proper context.
+ - For very basic logic, use implicit returns
+ - If there is a single parameter, omit the parentheses.
+```javascript
+const addOne = n => n + 1;
+```
+
+### Module Exports
+  - If a module has only one export, use the "default" export, not a named export.
+    - Do not declare the default export as a const or give it a name; just export the value.
+
+```javascript
+export default (n) => n + 1;
+```
+  - If a module has multiple exports, use named exports and do not use a "default" export.
+
+### Code Reuse
+Create utility functions for shared logic.
+  - If the shared logic is used in a single file, define a utility function in that file.
+  - If the shared logic is used in multiple files, create a utility function module file in `src/utils/`.
+
+### Naming
+Do not prefix identifiers with underscores.
+  - Never use leading underscores (`_`) for variable, property, method, or function names.
+  - Use clear, descriptive names without prefixes.
+  - When true privacy is needed inside classes, prefer native JavaScript private fields (e.g., `#myField`) instead of simulated privacy via underscores.
+
+## Lit Components
+
+### Component Architecture and Communication
+
+- Use methods to cause actions; do not emit events to trigger logic. Events are for notifying that something already happened.
+  - Prefer `el.closest('ktf-test-framework')?.enqueueSuite({...})` over firing an `enqueue` event.
+
+- Wrap dependent GUI components inside a parent `ktf-test-framework` element. Children find it via `closest('ktf-test-framework')` and call its methods. The framework can query its subtree to orchestrate children.
+
+- Avoid `window` globals and global custom events for coordination. If broadcast is needed, scope events to the framework element; reserve window events for global, non-visual concerns (e.g., settings changes).
+
+- Queued status must show the `scheduled` icon. Running may apply `animation="spin"`.
+

package/README.md

@@ -12,7 +12,7 @@ npm install kempo-server
 
 2. Add it to your `package.json` scripts, use the `--root` flag to tell it where the root of your site is.
 
-```json
+```
 {
   ...
   "scripts": {
@@ -213,7 +213,7 @@ export default async function(request, response) {
 
 To configure the server create a `.config.json` within the root directory of your server (`public` in the start example [above](#getting-started)).
 
-This json file can have any of the following 6 properties, any property not defined will use the "Default Config".
+This json file can have any of the following properties, any property not defined will use the "Default Config".
 
 - [allowedMimes](#allowedmimes)
 - [disallowedRegex](#disallowedregex)
@@ -221,6 +221,189 @@ This json file can have any of the following 6 properties, any property not defi
 - [routeFiles](#routefiles)
 - [noRescanPaths](#norescanpaths)
 - [maxRescanAttempts](#maxrescanattempts)
+- [middleware](#middleware)
+
+## Middleware
+
+Kempo Server includes a powerful middleware system that allows you to add functionality like authentication, logging, CORS, compression, and more. Middleware runs before your route handlers and can modify requests, responses, or handle requests entirely.
+
+### Built-in Middleware
+
+#### CORS
+Enable Cross-Origin Resource Sharing for your API:
+
+```json
+{
+  "middleware": {
+    "cors": {
+      "enabled": true,
+      "origin": "*",
+      "methods": ["GET", "POST", "PUT", "DELETE"],
+      "headers": ["Content-Type", "Authorization"]
+    }
+  }
+}
+```
+
+#### Compression
+Automatically compress responses with gzip:
+
+```json
+{
+  "middleware": {
+    "compression": {
+      "enabled": true,
+      "threshold": 1024
+    }
+  }
+}
+```
+
+#### Rate Limiting
+Limit requests per client to prevent abuse:
+
+```json
+{
+  "middleware": {
+    "rateLimit": {
+      "enabled": true,
+      "maxRequests": 100,
+      "windowMs": 60000,
+      "message": "Too many requests"
+    }
+  }
+}
+```
+
+#### Security Headers
+Add security headers to all responses:
+
+```json
+{
+  "middleware": {
+    "security": {
+      "enabled": true,
+      "headers": {
+        "X-Content-Type-Options": "nosniff",
+        "X-Frame-Options": "DENY",
+        "X-XSS-Protection": "1; mode=block"
+      }
+    }
+  }
+}
+```
+
+#### Request Logging
+Log requests with configurable detail:
+
+```json
+{
+  "middleware": {
+    "logging": {
+      "enabled": true,
+      "includeUserAgent": true,
+      "includeResponseTime": true
+    }
+  }
+}
+```
+
+### Custom Middleware
+
+Create your own middleware by writing JavaScript files and referencing them in your config:
+
+```json
+{
+  "middleware": {
+    "custom": ["./middleware/auth.js", "./middleware/analytics.js"]
+  }
+}
+```
+
+#### Custom Middleware Example
+
+```javascript
+// middleware/auth.js
+export default (config) => {
+  return async (req, res, next) => {
+    const token = req.headers.authorization;
+    
+    if (!token) {
+      req.user = null;
+      return await next();
+    }
+    
+    try {
+      // Verify JWT token (example)
+      const user = verifyToken(token);
+      req.user = user;
+      req.permissions = await getUserPermissions(user.id);
+      
+      // Add helper methods
+      req.hasPermission = (permission) => req.permissions.includes(permission);
+      
+    } catch (error) {
+      req.user = null;
+    }
+    
+    await next();
+  };
+};
+```
+
+#### Using Enhanced Requests in Routes
+
+Your route files can now access the enhanced request object:
+
+```javascript
+// api/user/profile/GET.js
+export default async (req, res, params) => {
+  if (!req.user) {
+    return res.status(401).json({ error: 'Authentication required' });
+  }
+  
+  if (!req.hasPermission('user:read')) {
+    return res.status(403).json({ error: 'Insufficient permissions' });
+  }
+  
+  const profile = await getUserProfile(req.user.id);
+  res.json(profile);
+};
+```
+
+### Middleware Order
+
+Middleware executes in this order:
+1. Built-in middleware (cors, compression, rateLimit, security, logging)
+2. Custom middleware (in the order listed in config)
+3. Your route handlers
+
+### Route Interception
+
+Middleware can intercept and handle routes completely, useful for authentication endpoints:
+
+```javascript
+// middleware/auth-routes.js
+export default (config) => {
+  return async (req, res, next) => {
+    const url = new URL(req.url, `http://${req.headers.host}`);
+    
+    // Handle login endpoint
+    if (req.method === 'POST' && url.pathname === '/auth/login') {
+      const credentials = await req.json();
+      const token = await authenticateUser(credentials);
+      
+      if (token) {
+        return res.json({ token, success: true });
+      } else {
+        return res.status(401).json({ error: 'Invalid credentials' });
+      }
+    }
+    
+    await next();
+  };
+};
+```
 
 ### allowedMimes
 
@@ -333,6 +516,8 @@ The maximum number of times to attempt rescanning the file system when a file is
 - **Zero Dependencies** - No external dependencies required
 - **File-based Routing** - Routes are defined by your directory structure
 - **Dynamic Routes** - Support for parameterized routes with square bracket syntax
+- **Wildcard Routes** - Map entire directory structures with wildcard patterns
+- **Middleware System** - Built-in and custom middleware support for authentication, logging, CORS, and more
 - **Request Object** - Request handling with built-in body parsing
 - **Response Object** - Response handling with chainable methods
 - **Multiple HTTP Methods** - Support for GET, POST, PUT, DELETE, and more
@@ -340,8 +525,8 @@ The maximum number of times to attempt rescanning the file system when a file is
 - **HTML Routes** - Support for both JavaScript and HTML route handlers
 - **Query Parameters** - Easy access to URL query parameters
 - **Configurable** - Customize behavior with a simple JSON config file
-- **Security** - Built-in protection against serving sensitive files
-- **Performance** - Smart file system caching and rescan optimization
+- **Security** - Built-in protection against serving sensitive files plus security headers middleware
+- **Performance** - Smart file system caching, rescan optimization, and optional compression
 
 ## Examples
 
@@ -440,3 +625,26 @@ Kempo Server supports several command line options to customize its behavior:
 ```bash
 kempo-server --root public --port 8080 --host 0.0.0.0 --verbose
 ```
+
+## Testing
+
+This project uses the Kempo Testing Framework. Tests live in the `tests/` folder and follow these naming conventions:
+
+- `[name].node-test.js` — Node-only tests
+- `[name].browser-test.js` — Browser-only tests
+- `[name].test.js` — Runs in both environments
+
+### Run tests
+
+Using npm scripts:
+
+```bash
+npm run tests         # Run all tests (Node + Browser)
+npm run tests:node    # Run Node tests only
+npm run tests:browser # Run Browser tests only
+npm run tests:gui     # Start the GUI test runner
+```
+
+For advanced usage (filters, flags, GUI options), see:
+https://github.com/dustinpoissant/kempo-testing-framework
+

package/docs/configuration.html

@@ -0,0 +1,119 @@
+<html lang="en" theme="auto">
+<head>
+  <meta charset='utf-8'>
+  <meta http-equiv='X-UA-Compatible' content='IE=edge'>
+  <title>Configuration - Kempo Server</title>
+  <meta name='viewport' content='width=device-width, initial-scale=1'>
+  <link rel="icon" type="image/png" sizes="48x48" href="media/icon48.png">
+  <link rel="manifest" href="manifest.json">
+  <link rel="stylesheet" href="essential.css" />
+</head>
+<body>
+  <main>
+    <a href="./" class="btn">Home</a>
+    <h1>Configuration</h1>
+    <p>Customize Kempo Server's behavior with a simple JSON configuration file.</p>
+
+    <h2>Configuration File</h2>
+    <p>To configure the server create a <code>.config.json</code> within the root directory of your server (<code>public</code> in the start example).</p>
+    <p>This json file can have any of the following properties. Any property not defined will use the default configuration.</p>
+
+    <h2>Configuration Options</h2>
+    <ul>
+      <li><a href="#allowedMimes">allowedMimes</a> - File types that can be served</li>
+      <li><a href="#disallowedRegex">disallowedRegex</a> - Patterns for paths that should be blocked</li>
+      <li><a href="#customRoutes">customRoutes</a> - Custom route mappings</li>
+      <li><a href="#routeFiles">routeFiles</a> - Files that should be treated as route handlers</li>
+      <li><a href="#noRescanPaths">noRescanPaths</a> - Paths that should not trigger file system rescans</li>
+      <li><a href="#maxRescanAttempts">maxRescanAttempts</a> - Maximum number of rescan attempts</li>
+      <li><a href="#middleware">middleware</a> - Middleware configuration</li>
+    </ul>
+
+    <h3 id="allowedMimes">allowedMimes</h3>
+    <p>An object mapping file extensions to their MIME types. Files with extensions not in this list will not be served.</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"allowedMimes"</span>: {<br />    <span class="hljs-attr">"html"</span>: <span class="hljs-string">"text/html"</span>,<br />    <span class="hljs-attr">"css"</span>: <span class="hljs-string">"text/css"</span>,<br />    <span class="hljs-attr">"js"</span>: <span class="hljs-string">"application/javascript"</span>,<br />    <span class="hljs-attr">"json"</span>: <span class="hljs-string">"application/json"</span>,<br />    <span class="hljs-attr">"png"</span>: <span class="hljs-string">"image/png"</span>,<br />    <span class="hljs-attr">"jpg"</span>: <span class="hljs-string">"image/jpeg"</span>,<br />    <span class="hljs-attr">"jpeg"</span>: <span class="hljs-string">"image/jpeg"</span>,<br />    <span class="hljs-attr">"gif"</span>: <span class="hljs-string">"image/gif"</span>,<br />    <span class="hljs-attr">"svg"</span>: <span class="hljs-string">"image/svg+xml"</span>,<br />    <span class="hljs-attr">"woff"</span>: <span class="hljs-string">"font/woff"</span>,<br />    <span class="hljs-attr">"woff2"</span>: <span class="hljs-string">"font/woff2"</span><br />  }<br />}</code></pre>
+
+    <h3 id="disallowedRegex">disallowedRegex</h3>
+    <p>An array of regular expressions that match paths that should never be served. This provides security by preventing access to sensitive files.</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"disallowedRegex"</span>: [<br />    <span class="hljs-string">"^/\\..*"</span>,        <span class="hljs-comment">// Hidden files (starting with .)</span><br />    <span class="hljs-string">"\\.env$"</span>,        <span class="hljs-comment">// Environment files</span><br />    <span class="hljs-string">"\\.config$"</span>,     <span class="hljs-comment">// Configuration files</span><br />    <span class="hljs-string">"password"</span>,      <span class="hljs-comment">// Files containing "password"</span><br />    <span class="hljs-string">"node_modules"</span>,  <span class="hljs-comment">// Node modules directory</span><br />    <span class="hljs-string">"\\.git"</span>          <span class="hljs-comment">// Git directory</span><br />  ]<br />}</code></pre>
+
+    <h3 id="routeFiles">routeFiles</h3>
+    <p>An array of filenames that should be treated as route handlers and executed as JavaScript modules.</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"routeFiles"</span>: [<br />    <span class="hljs-string">"GET.js"</span>,<br />    <span class="hljs-string">"POST.js"</span>,<br />    <span class="hljs-string">"PUT.js"</span>,<br />    <span class="hljs-string">"DELETE.js"</span>,<br />    <span class="hljs-string">"PATCH.js"</span>,<br />    <span class="hljs-string">"HEAD.js"</span>,<br />    <span class="hljs-string">"OPTIONS.js"</span>,<br />    <span class="hljs-string">"index.js"</span><br />  ]<br />}</code></pre>
+
+    <h3 id="noRescanPaths">noRescanPaths</h3>
+    <p>An array of regex patterns for paths that should not trigger a file system rescan. This improves performance for common static assets.</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"noRescanPaths"</span>: [<br />    <span class="hljs-string">"/favicon\\.ico$"</span>,<br />    <span class="hljs-string">"/robots\\.txt$"</span>,<br />    <span class="hljs-string">"\\.map$"</span>,<br />    <span class="hljs-string">"\\.css$"</span>,<br />    <span class="hljs-string">"\\.js$"</span>,<br />    <span class="hljs-string">"\\.png$"</span>,<br />    <span class="hljs-string">"\\.jpg$"</span>,<br />    <span class="hljs-string">"\\.jpeg$"</span>,<br />    <span class="hljs-string">"\\.gif$"</span><br />  ]<br />}</code></pre>
+
+    <h3 id="customRoutes">customRoutes</h3>
+    <p>An object mapping custom route paths to file paths. Useful for aliasing or serving files from outside the document root.</p>
+    
+    <h4>Basic Routes</h4>
+    <p>Map specific paths to files:</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"customRoutes"</span>: {<br />    <span class="hljs-attr">"/vendor/bootstrap.css"</span>: <span class="hljs-string">"./node_modules/bootstrap/dist/css/bootstrap.min.css"</span>,<br />    <span class="hljs-attr">"/api/status"</span>: <span class="hljs-string">"./status.js"</span>,<br />    <span class="hljs-attr">"/health"</span>: <span class="hljs-string">"./health-check.js"</span><br />  }<br />}</code></pre>
+
+    <h4>Wildcard Routes</h4>
+    <p>Wildcard routes allow you to map entire directory structures using the <code>*</code> wildcard:</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"customRoutes"</span>: {<br />    <span class="hljs-attr">"kempo/*"</span>: <span class="hljs-string">"./node_modules/kempo/dist/*"</span>,<br />    <span class="hljs-attr">"assets/*"</span>: <span class="hljs-string">"./static-files/*"</span>,<br />    <span class="hljs-attr">"docs/*"</span>: <span class="hljs-string">"./documentation/*"</span>,<br />    <span class="hljs-attr">"lib/*"</span>: <span class="hljs-string">"./node_modules/my-library/build/*"</span><br />  }<br />}</code></pre>
+
+    <p>With wildcard routes:</p>
+    <ul>
+      <li><code>kempo/styles.css</code> would serve <code>./node_modules/kempo/dist/styles.css</code></li>
+      <li><code>assets/logo.png</code> would serve <code>./static-files/logo.png</code></li>
+      <li><code>docs/readme.md</code> would serve <code>./documentation/readme.md</code></li>
+      <li><code>lib/utils.js</code> would serve <code>./node_modules/my-library/build/utils.js</code></li>
+    </ul>
+    <p>The <code>*</code> wildcard matches any single path segment (anything between <code>/</code> characters). Multiple wildcards can be used in a single route pattern.</p>
+
+    <h3 id="maxRescanAttempts">maxRescanAttempts</h3>
+    <p>The maximum number of times to attempt rescanning the file system when a file is not found. Defaults to 3.</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"maxRescanAttempts"</span>: <span class="hljs-number">3</span><br />}</code></pre>
+
+    <h3 id="middleware">middleware</h3>
+    <p>Configuration for built-in and custom middleware. Middleware runs before your route handlers and can modify requests, responses, or handle requests entirely.</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"middleware"</span>: {<br />    <span class="hljs-attr">"cors"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"origin"</span>: <span class="hljs-string">"*"</span><br />    },<br />    <span class="hljs-attr">"compression"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span><br />    },<br />    <span class="hljs-attr">"custom"</span>: [<span class="hljs-string">"./middleware/auth.js"</span>]<br />  }<br />}</code></pre>
+
+    <h2>Complete Configuration Example</h2>
+    <p>Here's a complete example of a <code>.config.json</code> file:</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"allowedMimes"</span>: {<br />    <span class="hljs-attr">"html"</span>: <span class="hljs-string">"text/html"</span>,<br />    <span class="hljs-attr">"css"</span>: <span class="hljs-string">"text/css"</span>,<br />    <span class="hljs-attr">"js"</span>: <span class="hljs-string">"application/javascript"</span>,<br />    <span class="hljs-attr">"json"</span>: <span class="hljs-string">"application/json"</span>,<br />    <span class="hljs-attr">"png"</span>: <span class="hljs-string">"image/png"</span>,<br />    <span class="hljs-attr">"jpg"</span>: <span class="hljs-string">"image/jpeg"</span>,<br />    <span class="hljs-attr">"jpeg"</span>: <span class="hljs-string">"image/jpeg"</span>,<br />    <span class="hljs-attr">"gif"</span>: <span class="hljs-string">"image/gif"</span>,<br />    <span class="hljs-attr">"svg"</span>: <span class="hljs-string">"image/svg+xml"</span>,<br />    <span class="hljs-attr">"woff"</span>: <span class="hljs-string">"font/woff"</span>,<br />    <span class="hljs-attr">"woff2"</span>: <span class="hljs-string">"font/woff2"</span><br />  },<br />  <span class="hljs-attr">"disallowedRegex"</span>: [<br />    <span class="hljs-string">"^/\\..*"</span>,<br />    <span class="hljs-string">"\\.env$"</span>,<br />    <span class="hljs-string">"\\.config$"</span>,<br />    <span class="hljs-string">"password"</span>,<br />    <span class="hljs-string">"node_modules"</span>,<br />    <span class="hljs-string">"\\.git"</span><br />  ],<br />  <span class="hljs-attr">"routeFiles"</span>: [<br />    <span class="hljs-string">"GET.js"</span>,<br />    <span class="hljs-string">"POST.js"</span>,<br />    <span class="hljs-string">"PUT.js"</span>,<br />    <span class="hljs-string">"DELETE.js"</span>,<br />    <span class="hljs-string">"PATCH.js"</span>,<br />    <span class="hljs-string">"HEAD.js"</span>,<br />    <span class="hljs-string">"OPTIONS.js"</span>,<br />    <span class="hljs-string">"index.js"</span><br />  ],<br />  <span class="hljs-attr">"noRescanPaths"</span>: [<br />    <span class="hljs-string">"/favicon\\.ico$"</span>,<br />    <span class="hljs-string">"/robots\\.txt$"</span>,<br />    <span class="hljs-string">"\\.map$"</span>,<br />    <span class="hljs-string">"\\.css$"</span>,<br />    <span class="hljs-string">"\\.js$"</span>,<br />    <span class="hljs-string">"\\.png$"</span>,<br />    <span class="hljs-string">"\\.jpg$"</span>,<br />    <span class="hljs-string">"\\.jpeg$"</span>,<br />    <span class="hljs-string">"\\.gif$"</span><br />  ],<br />  <span class="hljs-attr">"customRoutes"</span>: {<br />    <span class="hljs-attr">"/vendor/bootstrap.css"</span>: <span class="hljs-string">"./node_modules/bootstrap/dist/css/bootstrap.min.css"</span>,<br />    <span class="hljs-attr">"/vendor/jquery.js"</span>: <span class="hljs-string">"./node_modules/jquery/dist/jquery.min.js"</span>,<br />    <span class="hljs-attr">"assets/*"</span>: <span class="hljs-string">"./static-files/*"</span>,<br />    <span class="hljs-attr">"docs/*"</span>: <span class="hljs-string">"./documentation/*"</span><br />  },<br />  <span class="hljs-attr">"maxRescanAttempts"</span>: <span class="hljs-number">3</span>,<br />  <span class="hljs-attr">"middleware"</span>: {<br />    <span class="hljs-attr">"cors"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"origin"</span>: <span class="hljs-string">"*"</span>,<br />      <span class="hljs-attr">"methods"</span>: [<span class="hljs-string">"GET"</span>, <span class="hljs-string">"POST"</span>, <span class="hljs-string">"PUT"</span>, <span class="hljs-string">"DELETE"</span>],<br />      <span class="hljs-attr">"headers"</span>: [<span class="hljs-string">"Content-Type"</span>, <span class="hljs-string">"Authorization"</span>]<br />    },<br />    <span class="hljs-attr">"compression"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"threshold"</span>: <span class="hljs-number">1024</span><br />    },<br />    <span class="hljs-attr">"security"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"headers"</span>: {<br />        <span class="hljs-attr">"X-Content-Type-Options"</span>: <span class="hljs-string">"nosniff"</span>,<br />        <span class="hljs-attr">"X-Frame-Options"</span>: <span class="hljs-string">"DENY"</span>,<br />        <span class="hljs-attr">"X-XSS-Protection"</span>: <span class="hljs-string">"1; mode=block"</span><br />      }<br />    },<br />    <span class="hljs-attr">"custom"</span>: [<br />      <span class="hljs-string">"./middleware/auth.js"</span>,<br />      <span class="hljs-string">"./middleware/logging.js"</span><br />    ]<br />  }<br />}</code></pre>
+
+    <h2>Environment-Specific Configuration</h2>
+    <p>You can create different configuration files for different environments:</p>
+    
+    <h3>Development Configuration</h3>
+    <p>Create <code>.config.dev.json</code> for development:</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"allowedMimes"</span>: {<br />    <span class="hljs-attr">"html"</span>: <span class="hljs-string">"text/html"</span>,<br />    <span class="hljs-attr">"css"</span>: <span class="hljs-string">"text/css"</span>,<br />    <span class="hljs-attr">"js"</span>: <span class="hljs-string">"application/javascript"</span>,<br />    <span class="hljs-attr">"json"</span>: <span class="hljs-string">"application/json"</span>,<br />    <span class="hljs-attr">"map"</span>: <span class="hljs-string">"application/json"</span><br />  },<br />  <span class="hljs-attr">"middleware"</span>: {<br />    <span class="hljs-attr">"cors"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"origin"</span>: <span class="hljs-string">"*"</span><br />    },<br />    <span class="hljs-attr">"compression"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">false</span><br />    }<br />  }<br />}</code></pre>
+
+    <h3>Production Configuration</h3>
+    <p>Create <code>.config.prod.json</code> for production:</p>
+    <pre><code class="hljs json">{<br />  <span class="hljs-attr">"allowedMimes"</span>: {<br />    <span class="hljs-attr">"html"</span>: <span class="hljs-string">"text/html"</span>,<br />    <span class="hljs-attr">"css"</span>: <span class="hljs-string">"text/css"</span>,<br />    <span class="hljs-attr">"js"</span>: <span class="hljs-string">"application/javascript"</span>,<br />    <span class="hljs-attr">"json"</span>: <span class="hljs-string">"application/json"</span>,<br />    <span class="hljs-attr">"png"</span>: <span class="hljs-string">"image/png"</span>,<br />    <span class="hljs-attr">"jpg"</span>: <span class="hljs-string">"image/jpeg"</span><br />  },<br />  <span class="hljs-attr">"disallowedRegex"</span>: [<br />    <span class="hljs-string">"^/\\..*"</span>,<br />    <span class="hljs-string">"\\.env$"</span>,<br />    <span class="hljs-string">"\\.config$"</span>,<br />    <span class="hljs-string">"password"</span>,<br />    <span class="hljs-string">"node_modules"</span>,<br />    <span class="hljs-string">"\\.git"</span>,<br />    <span class="hljs-string">"\\.map$"</span><br />  ],<br />  <span class="hljs-attr">"middleware"</span>: {<br />    <span class="hljs-attr">"cors"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"origin"</span>: <span class="hljs-string">"https://yourdomain.com"</span><br />    },<br />    <span class="hljs-attr">"compression"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"threshold"</span>: <span class="hljs-number">1024</span><br />    },<br />    <span class="hljs-attr">"security"</span>: {<br />      <span class="hljs-attr">"enabled"</span>: <span class="hljs-literal">true</span>,<br />      <span class="hljs-attr">"headers"</span>: {<br />        <span class="hljs-attr">"X-Content-Type-Options"</span>: <span class="hljs-string">"nosniff"</span>,<br />        <span class="hljs-attr">"X-Frame-Options"</span>: <span class="hljs-string">"DENY"</span>,<br />        <span class="hljs-attr">"X-XSS-Protection"</span>: <span class="hljs-string">"1; mode=block"</span>,<br />        <span class="hljs-attr">"Strict-Transport-Security"</span>: <span class="hljs-string">"max-age=31536000; includeSubDomains"</span><br />      }<br />    }<br />  }<br />}</code></pre>
+
+    <h2>Configuration Tips</h2>
+    
+    <h3>Security Best Practices</h3>
+    <ul>
+      <li>Always include patterns to block sensitive files in <code>disallowedRegex</code></li>
+      <li>Use strict CORS settings in production</li>
+      <li>Enable security headers middleware</li>
+      <li>Don't serve source maps in production</li>
+    </ul>
+
+    <h3>Performance Optimization</h3>
+    <ul>
+      <li>Use <code>noRescanPaths</code> for static assets to improve performance</li>
+      <li>Enable compression for larger files</li>
+      <li>Use custom routes to serve files from CDN or optimized locations</li>
+      <li>Limit <code>maxRescanAttempts</code> to prevent excessive file system scanning</li>
+    </ul>
+
+    <h3>Development vs Production</h3>
+    <ul>
+      <li>Enable source maps in development, disable in production</li>
+      <li>Use relaxed CORS in development, strict in production</li>
+      <li>Enable compression in production for better performance</li>
+      <li>Add more security headers in production</li>
+    </ul>
+  </main>
+  <div style="height:25vh"></div>
+</body>
+</html>