Moved 'internal-server' into a sub-folder as opposed to a git submodule. (#1715)

* Ignored tests in 'internal-server' folder since there are none.
* Linter fixes

9 files changed, 986 insertions, 0 deletions

diff --git a/src/internal-server/config/app.js b/src/internal-server/config/app.js
new file mode 100644
index 000000000..0a1644932
--- /dev/null
+++ b/src/internal-server/config/app.js
@@ -0,0 +1,240 @@
+/** @type {import('@adonisjs/framework/src/Env')} */
+const Env = use('Env');
+
+module.exports = {
+
+  /*
+  |--------------------------------------------------------------------------
+  | Application Name
+  |--------------------------------------------------------------------------
+  |
+  | This value is the name of your application and can used when you
+  | need to place the application's name in a email, view or
+  | other location.
+  |
+  */
+
+  name: Env.get('APP_NAME', 'Ferdi Internal Server'),
+
+  /*
+  |--------------------------------------------------------------------------
+  | App Key
+  |--------------------------------------------------------------------------
+  |
+  | App key is a randomly generated 16 or 32 characters long string required
+  | to encrypt cookies, sessions and other sensitive data.
+  |
+  */
+  appKey: Env.getOrFail('APP_KEY'),
+
+  http: {
+    /*
+    |--------------------------------------------------------------------------
+    | Allow Method Spoofing
+    |--------------------------------------------------------------------------
+    |
+    | Method spoofing allows to make requests by spoofing the http verb.
+    | Which means you can make a GET request but instruct the server to
+    | treat as a POST or PUT request. If you want this feature, set the
+    | below value to true.
+    |
+    */
+    allowMethodSpoofing: true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Trust Proxy
+    |--------------------------------------------------------------------------
+    |
+    | Trust proxy defines whether X-Forwarded-* headers should be trusted or not.
+    | When your application is behind a proxy server like nginx, these values
+    | are set automatically and should be trusted. Apart from setting it
+    | to true or false Adonis supports handful or ways to allow proxy
+    | values. Read documentation for that.
+    |
+    */
+    trustProxy: false,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Subdomains
+    |--------------------------------------------------------------------------
+    |
+    | Offset to be used for returning subdomains for a given request.For
+    | majority of applications it will be 2, until you have nested
+    | sudomains.
+    | cheatsheet.adonisjs.com      - offset - 2
+    | virk.cheatsheet.adonisjs.com - offset - 3
+    |
+    */
+    subdomainOffset: 2,
+
+    /*
+    |--------------------------------------------------------------------------
+    | JSONP Callback
+    |--------------------------------------------------------------------------
+    |
+    | Default jsonp callback to be used when callback query string is missing
+    | in request url.
+    |
+    */
+    jsonpCallback: 'callback',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Etag
+    |--------------------------------------------------------------------------
+    |
+    | Set etag on all HTTP response. In order to disable for selected routes,
+    | you can call the `response.send` with an options object as follows.
+    |
+    | response.send('Hello', { ignoreEtag: true })
+    |
+    */
+    etag: false,
+  },
+
+  views: {
+    /*
+    |--------------------------------------------------------------------------
+    | Cache Views
+    |--------------------------------------------------------------------------
+    |
+    | Define whether or not to cache the compiled view. Set it to true in
+    | production to optimize view loading time.
+    |
+    */
+    cache: Env.get('CACHE_VIEWS', true),
+  },
+
+  static: {
+    /*
+    |--------------------------------------------------------------------------
+    | Dot Files
+    |--------------------------------------------------------------------------
+    |
+    | Define how to treat dot files when trying to server static resources.
+    | By default it is set to ignore, which will pretend that dotfiles
+    | does not exists.
+    |
+    | Can be one of the following
+    | ignore, deny, allow
+    |
+    */
+    dotfiles: 'ignore',
+
+    /*
+    |--------------------------------------------------------------------------
+    | ETag
+    |--------------------------------------------------------------------------
+    |
+    | Enable or disable etag generation
+    |
+    */
+    etag: true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Extensions
+    |--------------------------------------------------------------------------
+    |
+    | Set file extension fallbacks. When set, if a file is not found, the given
+    | extensions will be added to the file name and search for. The first
+    | that exists will be served. Example: ['html', 'htm'].
+    |
+    */
+    extensions: false,
+  },
+
+  locales: {
+    /*
+    |--------------------------------------------------------------------------
+    | Loader
+    |--------------------------------------------------------------------------
+    |
+    | The loader to be used for fetching and updating locales. Below is the
+    | list of available options.
+    |
+    | file, database
+    |
+    */
+    loader: 'file',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Default Locale
+    |--------------------------------------------------------------------------
+    |
+    | Default locale to be used by Antl provider. You can always switch drivers
+    | in runtime or use the official Antl middleware to detect the driver
+    | based on HTTP headers/query string.
+    |
+    */
+    locale: 'en',
+  },
+
+  logger: {
+    /*
+    |--------------------------------------------------------------------------
+    | Transport
+    |--------------------------------------------------------------------------
+    |
+    | Transport to be used for logging messages. You can have multiple
+    | transports using same driver.
+    |
+    | Available drivers are: `file` and `console`.
+    |
+    */
+    transport: 'console',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Console Transport
+    |--------------------------------------------------------------------------
+    |
+    | Using `console` driver for logging. This driver writes to `stdout`
+    | and `stderr`
+    |
+    */
+    console: {
+      driver: 'console',
+      name: 'adonis-app',
+      level: 'info',
+    },
+
+    /*
+    |--------------------------------------------------------------------------
+    | File Transport
+    |--------------------------------------------------------------------------
+    |
+    | File transport uses file driver and writes log messages for a given
+    | file inside `tmp` directory for your app.
+    |
+    | For a different directory, set an absolute path for the filename.
+    |
+    */
+    file: {
+      driver: 'file',
+      name: 'adonis-app',
+      filename: 'adonis.log',
+      level: 'info',
+    },
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Generic Cookie Options
+  |--------------------------------------------------------------------------
+  |
+  | The following cookie options are generic settings used by AdonisJs to create
+  | cookies. However, some parts of the application like `sessions` can have
+  | separate settings for cookies inside `config/session.js`.
+  |
+  */
+  cookie: {
+    httpOnly: true,
+    sameSite: false,
+    path: '/',
+    maxAge: 7200,
+  },
+};
diff --git a/src/internal-server/config/auth.js b/src/internal-server/config/auth.js
new file mode 100644
index 000000000..adb38126a
--- /dev/null
+++ b/src/internal-server/config/auth.js
@@ -0,0 +1,92 @@
+/** @type {import('@adonisjs/framework/src/Env')} */
+const Env = use('Env');
+
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Authenticator
+  |--------------------------------------------------------------------------
+  |
+  | Authentication is a combination of serializer and scheme with extra
+  | config to define on how to authenticate a user.
+  |
+  | Available Schemes - basic, session, jwt, api
+  | Available Serializers - lucid, database
+  |
+  */
+  authenticator: 'jwt',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Session
+  |--------------------------------------------------------------------------
+  |
+  | Session authenticator makes use of sessions to authenticate a user.
+  | Session authentication is always persistent.
+  |
+  */
+  session: {
+    serializer: 'lucid',
+    model: 'App/Models/User',
+    scheme: 'session',
+    uid: 'email',
+    password: 'password',
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Basic Auth
+  |--------------------------------------------------------------------------
+  |
+  | The basic auth authenticator uses basic auth header to authenticate a
+  | user.
+  |
+  | NOTE:
+  | This scheme is not persistent and users are supposed to pass
+  | login credentials on each request.
+  |
+  */
+  basic: {
+    serializer: 'lucid',
+    model: 'App/Models/User',
+    scheme: 'basic',
+    uid: 'email',
+    password: 'password',
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Jwt
+  |--------------------------------------------------------------------------
+  |
+  | The jwt authenticator works by passing a jwt token on each HTTP request
+  | via HTTP `Authorization` header.
+  |
+  */
+  jwt: {
+    serializer: 'lucid',
+    model: 'App/Models/User',
+    scheme: 'jwt',
+    uid: 'email',
+    password: 'password',
+    options: {
+      secret: Env.get('APP_KEY'),
+    },
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Api
+  |--------------------------------------------------------------------------
+  |
+  | The Api scheme makes use of API personal tokens to authenticate a user.
+  |
+  */
+  api: {
+    serializer: 'lucid',
+    model: 'App/Models/User',
+    scheme: 'api',
+    uid: 'email',
+    password: 'password',
+  },
+};
diff --git a/src/internal-server/config/bodyParser.js b/src/internal-server/config/bodyParser.js
new file mode 100644
index 000000000..8a5406f9e
--- /dev/null
+++ b/src/internal-server/config/bodyParser.js
@@ -0,0 +1,155 @@
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | JSON Parser
+  |--------------------------------------------------------------------------
+  |
+  | Below settings are applied when the request body contains a JSON payload.
+  | If you want body parser to ignore JSON payloads, then simply set `types`
+  | to an empty array.
+  */
+  json: {
+    /*
+    |--------------------------------------------------------------------------
+    | limit
+    |--------------------------------------------------------------------------
+    |
+    | Defines the limit of JSON that can be sent by the client. If payload
+    | is over 1mb it will not be processed.
+    |
+    */
+    limit: '50mb',
+
+    /*
+    |--------------------------------------------------------------------------
+    | strict
+    |--------------------------------------------------------------------------
+    |
+    | When `strict` is set to true, body parser will only parse Arrays and
+    | Object. Otherwise everything parseable by `JSON.parse` is parsed.
+    |
+    */
+    strict: true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | types
+    |--------------------------------------------------------------------------
+    |
+    | Which content types are processed as JSON payloads. You are free to
+    | add your own types here, but the request body should be parseable
+    | by `JSON.parse` method.
+    |
+    */
+    types: [
+      'application/json',
+      'application/json-patch+json',
+      'application/vnd.api+json',
+      'application/csp-report',
+    ],
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Raw Parser
+  |--------------------------------------------------------------------------
+  |
+  |
+  |
+  */
+  raw: {
+    types: [
+      'text/*',
+    ],
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Form Parser
+  |--------------------------------------------------------------------------
+  |
+  |
+  |
+  */
+  form: {
+    types: [
+      'application/x-www-form-urlencoded',
+    ],
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Files Parser
+  |--------------------------------------------------------------------------
+  |
+  |
+  |
+  */
+  files: {
+    types: [
+      'multipart/form-data',
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Max Size
+    |--------------------------------------------------------------------------
+    |
+    | Below value is the max size of all the files uploaded to the server. It
+    | is validated even before files have been processed and hard exception
+    | is thrown.
+    |
+    | Consider setting a reasonable value here, otherwise people may upload GB's
+    | of files which will keep your server busy.
+    |
+    | Also this value is considered when `autoProcess` is set to true.
+    |
+    */
+    maxSize: '20mb',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Auto Process
+    |--------------------------------------------------------------------------
+    |
+    | Whether or not to auto-process files. Since HTTP servers handle files via
+    | couple of specific endpoints. It is better to set this value off and
+    | manually process the files when required.
+    |
+    | This value can contain a boolean or an array of route patterns
+    | to be autoprocessed.
+    */
+    autoProcess: true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Process Manually
+    |--------------------------------------------------------------------------
+    |
+    | The list of routes that should not process files and instead rely on
+    | manual process. This list should only contain routes when autoProcess
+    | is to true. Otherwise everything is processed manually.
+    |
+    */
+    processManually: [],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Temporary file name
+    |--------------------------------------------------------------------------
+    |
+    | Define a function, which should return a string to be used as the
+    | tmp file name.
+    |
+    | If not defined, Bodyparser will use `uuid` as the tmp file name.
+    |
+    | To be defined as. If you are defining the function, then do make sure
+    | to return a value from it.
+    |
+    | tmpFileName () {
+    |   return 'some-unique-value'
+    | }
+    |
+    */
+  },
+};
diff --git a/src/internal-server/config/cors.js b/src/internal-server/config/cors.js
new file mode 100644
index 000000000..ca57dff0d
--- /dev/null
+++ b/src/internal-server/config/cors.js
@@ -0,0 +1,85 @@
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Origin
+  |--------------------------------------------------------------------------
+  |
+  | Set a list of origins to be allowed. The value can be one of the following
+  |
+  | Boolean: true - Allow current request origin
+  | Boolean: false - Disallow all
+  | String - Comma separated list of allowed origins
+  | Array - An array of allowed origins
+  | String: * - A wildcard to allow current request origin
+  | Function - Receives the current origin and should return one of the above values.
+  |
+  */
+  origin: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Methods
+  |--------------------------------------------------------------------------
+  |
+  | HTTP methods to be allowed. The value can be one of the following
+  |
+  | String - Comma separated list of allowed methods
+  | Array - An array of allowed methods
+  |
+  */
+  methods: ['GET', 'PUT', 'PATCH', 'POST', 'DELETE'],
+
+  /*
+  |--------------------------------------------------------------------------
+  | Headers
+  |--------------------------------------------------------------------------
+  |
+  | List of headers to be allowed via Access-Control-Request-Headers header.
+  | The value can be one of the following.
+  |
+  | Boolean: true - Allow current request headers
+  | Boolean: false - Disallow all
+  | String - Comma separated list of allowed headers
+  | Array - An array of allowed headers
+  | String: * - A wildcard to allow current request headers
+  | Function - Receives the current header and should return one of the above values.
+  |
+  */
+  headers: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Expose Headers
+  |--------------------------------------------------------------------------
+  |
+  | A list of headers to be exposed via `Access-Control-Expose-Headers`
+  | header. The value can be one of the following.
+  |
+  | Boolean: false - Disallow all
+  | String: Comma separated list of allowed headers
+  | Array - An array of allowed headers
+  |
+  */
+  exposeHeaders: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Credentials
+  |--------------------------------------------------------------------------
+  |
+  | Define Access-Control-Allow-Credentials header. It should always be a
+  | boolean.
+  |
+  */
+  credentials: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | MaxAge
+  |--------------------------------------------------------------------------
+  |
+  | Define Access-Control-Allow-Max-Age
+  |
+  */
+  maxAge: 90,
+};
diff --git a/src/internal-server/config/database.js b/src/internal-server/config/database.js
new file mode 100644
index 000000000..1b5974359
--- /dev/null
+++ b/src/internal-server/config/database.js
@@ -0,0 +1,82 @@
+/** @type {import('@adonisjs/framework/src/Env')} */
+const Env = use('Env');
+
+const dbPath = process.env.DB_PATH;
+
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Default Connection
+  |--------------------------------------------------------------------------
+  |
+  | Connection defines the default connection settings to be used while
+  | interacting with SQL databases.
+  |
+  */
+  connection: Env.get('DB_CONNECTION', 'sqlite'),
+
+  /*
+  |--------------------------------------------------------------------------
+  | Sqlite
+  |--------------------------------------------------------------------------
+  |
+  | Sqlite is a flat file database and can be a good choice for a development
+  | environment.
+  |
+  | npm i --save sqlite3
+  |
+  */
+  sqlite: {
+    client: 'sqlite3',
+    connection: {
+      // filename: Helpers.databasePath(`${Env.get('DB_DATABASE', 'development')}.sqlite`),
+      filename: dbPath,
+    },
+    useNullAsDefault: true,
+    debug: Env.get('DB_DEBUG', false),
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | MySQL
+  |--------------------------------------------------------------------------
+  |
+  | Here we define connection settings for MySQL database.
+  |
+  | npm i --save mysql
+  |
+  */
+  mysql: {
+    client: 'mysql',
+    connection: {
+      host: Env.get('DB_HOST', 'localhost'),
+      port: Env.get('DB_PORT', ''),
+      user: Env.get('DB_USER', 'root'),
+      password: Env.get('DB_PASSWORD', ''),
+      database: Env.get('DB_DATABASE', 'adonis'),
+    },
+    debug: Env.get('DB_DEBUG', false),
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | PostgreSQL
+  |--------------------------------------------------------------------------
+  |
+  | Here we define connection settings for PostgreSQL database.
+  |
+  | npm i --save pg
+  |
+  */
+  pg: {
+    client: 'pg',
+    connection: {
+      host: Env.get('DB_HOST', 'localhost'),
+      port: Env.get('DB_PORT', ''),
+      user: Env.get('DB_USER', 'root'),
+      password: Env.get('DB_PASSWORD', ''),
+      database: Env.get('DB_DATABASE', 'adonis'),
+    },
+    debug: Env.get('DB_DEBUG', false),
+  },
+};
diff --git a/src/internal-server/config/drive.js b/src/internal-server/config/drive.js
new file mode 100644
index 000000000..617ce470a
--- /dev/null
+++ b/src/internal-server/config/drive.js
@@ -0,0 +1,45 @@
+const Env = use('Env');
+
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Default disk
+  |--------------------------------------------------------------------------
+  |
+  | The default disk is used when you interact with the file system without
+  | defining a disk name
+  |
+  */
+  default: 'local',
+
+  disks: {
+    /*
+    |--------------------------------------------------------------------------
+    | Local
+    |--------------------------------------------------------------------------
+    |
+    | Local disk interacts with the a local folder inside your application
+    |
+    */
+    local: {
+      root: `${__dirname}/../recipes`,
+      driver: 'local',
+    },
+
+    /*
+    |--------------------------------------------------------------------------
+    | S3
+    |--------------------------------------------------------------------------
+    |
+    | S3 disk interacts with a bucket on aws s3
+    |
+    */
+    s3: {
+      driver: 's3',
+      key: Env.get('S3_KEY'),
+      secret: Env.get('S3_SECRET'),
+      bucket: Env.get('S3_BUCKET'),
+      region: Env.get('S3_REGION'),
+    },
+  },
+};
diff --git a/src/internal-server/config/hash.js b/src/internal-server/config/hash.js
new file mode 100644
index 000000000..bbf32f691
--- /dev/null
+++ b/src/internal-server/config/hash.js
@@ -0,0 +1,47 @@
+/** @type {import('@adonisjs/framework/src/Env')} */
+const Env = use('Env');
+
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Driver
+  |--------------------------------------------------------------------------
+  |
+  | Driver to be used for hashing values. The same driver is used by the
+  | auth module too.
+  |
+  */
+  driver: Env.get('HASH_DRIVER', 'bcrypt'),
+
+  /*
+  |--------------------------------------------------------------------------
+  | Bcrypt
+  |--------------------------------------------------------------------------
+  |
+  | Config related to bcrypt hashing. https://www.npmjs.com/package/bcrypt
+  | package is used internally.
+  |
+  */
+  bcrypt: {
+    rounds: 10,
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Argon
+  |--------------------------------------------------------------------------
+  |
+  | Config related to argon. https://www.npmjs.com/package/argon2 package is
+  | used internally.
+  |
+  | Since argon is optional, you will have to install the dependency yourself
+  |
+  |============================================================================
+  | npm i argon2
+  |============================================================================
+  |
+  */
+  argon: {
+    type: 1,
+  },
+};
diff --git a/src/internal-server/config/session.js b/src/internal-server/config/session.js
new file mode 100644
index 000000000..62c4f9cc8
--- /dev/null
+++ b/src/internal-server/config/session.js
@@ -0,0 +1,97 @@
+const Env = use('Env');
+
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Session Driver
+  |--------------------------------------------------------------------------
+  |
+  | The session driver to be used for storing session values. It can be
+  | cookie, file or redis.
+  |
+  | For `redis` driver, make sure to install and register `@adonisjs/redis`
+  |
+  */
+  driver: Env.get('SESSION_DRIVER', 'cookie'),
+
+  /*
+  |--------------------------------------------------------------------------
+  | Cookie Name
+  |--------------------------------------------------------------------------
+  |
+  | The name of the cookie to be used for saving session id. Session ids
+  | are signed and encrypted.
+  |
+  */
+  cookieName: 'adonis-session',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Clear session when browser closes
+  |--------------------------------------------------------------------------
+  |
+  | If this value is true, the session cookie will be temporary and will be
+  | removed when browser closes.
+  |
+  */
+  clearWithBrowser: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Session age
+  |--------------------------------------------------------------------------
+  |
+  | This value is only used when `clearWithBrowser` is set to false. The
+  | age must be a valid https://npmjs.org/package/ms string or should
+  | be in milliseconds.
+  |
+  | Valid values are:
+  |  '2h', '10d', '5y', '2.5 hrs'
+  |
+  */
+  age: '2h',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Cookie options
+  |--------------------------------------------------------------------------
+  |
+  | Cookie options defines the options to be used for setting up session
+  | cookie
+  |
+  */
+  cookie: {
+    httpOnly: true,
+    path: '/',
+    sameSite: false,
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Sessions location
+  |--------------------------------------------------------------------------
+  |
+  | If driver is set to file, we need to define the relative location from
+  | the temporary path or absolute url to any location.
+  |
+  */
+  file: {
+    location: 'sessions',
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Redis config
+  |--------------------------------------------------------------------------
+  |
+  | The configuration for the redis driver.
+  |
+  */
+  redis: {
+    host: '127.0.0.1',
+    port: 6379,
+    password: null,
+    db: 0,
+    keyPrefix: '',
+  },
+};
diff --git a/src/internal-server/config/shield.js b/src/internal-server/config/shield.js
new file mode 100644
index 000000000..76f430e91
--- /dev/null
+++ b/src/internal-server/config/shield.js
@@ -0,0 +1,143 @@
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Content Security Policy
+  |--------------------------------------------------------------------------
+  |
+  | Content security policy filters out the origins not allowed to execute
+  | and load resources like scripts, styles and fonts. There are wide
+  | variety of options to choose from.
+  */
+  csp: {
+    /*
+    |--------------------------------------------------------------------------
+    | Directives
+    |--------------------------------------------------------------------------
+    |
+    | All directives are defined in camelCase and here is the list of
+    | available directives and their possible values.
+    |
+    | https://content-security-policy.com
+    |
+    | @example
+    | directives: {
+    |   defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
+    | }
+    |
+    */
+    directives: {
+    },
+    /*
+    |--------------------------------------------------------------------------
+    | Report only
+    |--------------------------------------------------------------------------
+    |
+    | Setting `reportOnly=true` will not block the scripts from running and
+    | instead report them to a URL.
+    |
+    */
+    reportOnly: false,
+    /*
+    |--------------------------------------------------------------------------
+    | Set all headers
+    |--------------------------------------------------------------------------
+    |
+    | Headers staring with `X` have been depreciated, since all major browsers
+    | supports the standard CSP header. So its better to disable deperciated
+    | headers, unless you want them to be set.
+    |
+    */
+    setAllHeaders: false,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Disable on android
+    |--------------------------------------------------------------------------
+    |
+    | Certain versions of android are buggy with CSP policy. So you can set
+    | this value to true, to disable it for Android versions with buggy
+    | behavior.
+    |
+    | Here is an issue reported on a different package, but helpful to read
+    | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82
+    |
+    */
+    disableAndroid: true,
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | X-XSS-Protection
+  |--------------------------------------------------------------------------
+  |
+  | X-XSS Protection saves from applications from XSS attacks. It is adopted
+  | by IE and later followed by some other browsers.
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+  |
+  */
+  xss: {
+    enabled: true,
+    enableOnOldIE: false,
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Iframe Options
+  |--------------------------------------------------------------------------
+  |
+  | xframe defines whether or not your website can be embedded inside an
+  | iframe. Choose from one of the following options.
+  | @available options
+  | DENY, SAMEORIGIN, ALLOW-FROM http://example.com
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  */
+  xframe: 'DENY',
+
+  /*
+  |--------------------------------------------------------------------------
+  | No Sniff
+  |--------------------------------------------------------------------------
+  |
+  | Browsers have a habit of sniffing content-type of a response. Which means
+  | files with .txt extension containing Javascript code will be executed as
+  | Javascript. You can disable this behavior by setting nosniff to false.
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  |
+  */
+  nosniff: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | No Open
+  |--------------------------------------------------------------------------
+  |
+  | IE users can execute webpages in the context of your website, which is
+  | a serious security risk. Below option will manage this for you.
+  |
+  */
+  noopen: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | CSRF Protection
+  |--------------------------------------------------------------------------
+  |
+  | CSRF Protection adds another layer of security by making sure, actionable
+  | routes does have a valid token to execute an action.
+  |
+  */
+  csrf: {
+    enable: true,
+    methods: ['POST', 'PUT', 'DELETE'],
+    filterUris: [],
+    cookieOptions: {
+      httpOnly: false,
+      sameSite: true,
+      path: '/',
+      maxAge: 7200,
+    },
+  },
+};