diff options
Diffstat (limited to 'src/internal-server/config/shield.js')
-rw-r--r-- | src/internal-server/config/shield.js | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/src/internal-server/config/shield.js b/src/internal-server/config/shield.js new file mode 100644 index 000000000..76f430e91 --- /dev/null +++ b/src/internal-server/config/shield.js | |||
@@ -0,0 +1,143 @@ | |||
1 | module.exports = { | ||
2 | /* | ||
3 | |-------------------------------------------------------------------------- | ||
4 | | Content Security Policy | ||
5 | |-------------------------------------------------------------------------- | ||
6 | | | ||
7 | | Content security policy filters out the origins not allowed to execute | ||
8 | | and load resources like scripts, styles and fonts. There are wide | ||
9 | | variety of options to choose from. | ||
10 | */ | ||
11 | csp: { | ||
12 | /* | ||
13 | |-------------------------------------------------------------------------- | ||
14 | | Directives | ||
15 | |-------------------------------------------------------------------------- | ||
16 | | | ||
17 | | All directives are defined in camelCase and here is the list of | ||
18 | | available directives and their possible values. | ||
19 | | | ||
20 | | https://content-security-policy.com | ||
21 | | | ||
22 | | @example | ||
23 | | directives: { | ||
24 | | defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] | ||
25 | | } | ||
26 | | | ||
27 | */ | ||
28 | directives: { | ||
29 | }, | ||
30 | /* | ||
31 | |-------------------------------------------------------------------------- | ||
32 | | Report only | ||
33 | |-------------------------------------------------------------------------- | ||
34 | | | ||
35 | | Setting `reportOnly=true` will not block the scripts from running and | ||
36 | | instead report them to a URL. | ||
37 | | | ||
38 | */ | ||
39 | reportOnly: false, | ||
40 | /* | ||
41 | |-------------------------------------------------------------------------- | ||
42 | | Set all headers | ||
43 | |-------------------------------------------------------------------------- | ||
44 | | | ||
45 | | Headers staring with `X` have been depreciated, since all major browsers | ||
46 | | supports the standard CSP header. So its better to disable deperciated | ||
47 | | headers, unless you want them to be set. | ||
48 | | | ||
49 | */ | ||
50 | setAllHeaders: false, | ||
51 | |||
52 | /* | ||
53 | |-------------------------------------------------------------------------- | ||
54 | | Disable on android | ||
55 | |-------------------------------------------------------------------------- | ||
56 | | | ||
57 | | Certain versions of android are buggy with CSP policy. So you can set | ||
58 | | this value to true, to disable it for Android versions with buggy | ||
59 | | behavior. | ||
60 | | | ||
61 | | Here is an issue reported on a different package, but helpful to read | ||
62 | | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82 | ||
63 | | | ||
64 | */ | ||
65 | disableAndroid: true, | ||
66 | }, | ||
67 | |||
68 | /* | ||
69 | |-------------------------------------------------------------------------- | ||
70 | | X-XSS-Protection | ||
71 | |-------------------------------------------------------------------------- | ||
72 | | | ||
73 | | X-XSS Protection saves from applications from XSS attacks. It is adopted | ||
74 | | by IE and later followed by some other browsers. | ||
75 | | | ||
76 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | ||
77 | | | ||
78 | */ | ||
79 | xss: { | ||
80 | enabled: true, | ||
81 | enableOnOldIE: false, | ||
82 | }, | ||
83 | |||
84 | /* | ||
85 | |-------------------------------------------------------------------------- | ||
86 | | Iframe Options | ||
87 | |-------------------------------------------------------------------------- | ||
88 | | | ||
89 | | xframe defines whether or not your website can be embedded inside an | ||
90 | | iframe. Choose from one of the following options. | ||
91 | | @available options | ||
92 | | DENY, SAMEORIGIN, ALLOW-FROM http://example.com | ||
93 | | | ||
94 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
95 | */ | ||
96 | xframe: 'DENY', | ||
97 | |||
98 | /* | ||
99 | |-------------------------------------------------------------------------- | ||
100 | | No Sniff | ||
101 | |-------------------------------------------------------------------------- | ||
102 | | | ||
103 | | Browsers have a habit of sniffing content-type of a response. Which means | ||
104 | | files with .txt extension containing Javascript code will be executed as | ||
105 | | Javascript. You can disable this behavior by setting nosniff to false. | ||
106 | | | ||
107 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
108 | | | ||
109 | */ | ||
110 | nosniff: true, | ||
111 | |||
112 | /* | ||
113 | |-------------------------------------------------------------------------- | ||
114 | | No Open | ||
115 | |-------------------------------------------------------------------------- | ||
116 | | | ||
117 | | IE users can execute webpages in the context of your website, which is | ||
118 | | a serious security risk. Below option will manage this for you. | ||
119 | | | ||
120 | */ | ||
121 | noopen: true, | ||
122 | |||
123 | /* | ||
124 | |-------------------------------------------------------------------------- | ||
125 | | CSRF Protection | ||
126 | |-------------------------------------------------------------------------- | ||
127 | | | ||
128 | | CSRF Protection adds another layer of security by making sure, actionable | ||
129 | | routes does have a valid token to execute an action. | ||
130 | | | ||
131 | */ | ||
132 | csrf: { | ||
133 | enable: true, | ||
134 | methods: ['POST', 'PUT', 'DELETE'], | ||
135 | filterUris: [], | ||
136 | cookieOptions: { | ||
137 | httpOnly: false, | ||
138 | sameSite: true, | ||
139 | path: '/', | ||
140 | maxAge: 7200, | ||
141 | }, | ||
142 | }, | ||
143 | }; | ||