1 files changed, 143 insertions, 0 deletions
diff --git a/src/internal-server/config/shield.js b/src/internal-server/config/shield.js
new file mode 100644
index 000000000..76f430e91
--- /dev/null
+++ b/src/internal-server/config/shield.js
@@ -0,0 +1,143 @@
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Content Security Policy
+  |--------------------------------------------------------------------------
+  |
+  | Content security policy filters out the origins not allowed to execute
+  | and load resources like scripts, styles and fonts. There are wide
+  | variety of options to choose from.
+  */
+  csp: {
+    /*
+    |--------------------------------------------------------------------------
+    | Directives
+    |--------------------------------------------------------------------------
+    |
+    | All directives are defined in camelCase and here is the list of
+    | available directives and their possible values.
+    |
+    | https://content-security-policy.com
+    |
+    | @example
+    | directives: {
+    |   defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
+    | }
+    |
+    */
+    directives: {
+    },
+    /*
+    |--------------------------------------------------------------------------
+    | Report only
+    |--------------------------------------------------------------------------
+    |
+    | Setting `reportOnly=true` will not block the scripts from running and
+    | instead report them to a URL.
+    |
+    */
+    reportOnly: false,
+    /*
+    |--------------------------------------------------------------------------
+    | Set all headers
+    |--------------------------------------------------------------------------
+    |
+    | Headers staring with `X` have been depreciated, since all major browsers
+    | supports the standard CSP header. So its better to disable deperciated
+    | headers, unless you want them to be set.
+    |
+    */
+    setAllHeaders: false,
+    /*
+    |--------------------------------------------------------------------------
+    | Disable on android
+    |--------------------------------------------------------------------------
+    |
+    | Certain versions of android are buggy with CSP policy. So you can set
+    | this value to true, to disable it for Android versions with buggy
+    | behavior.
+    |
+    | Here is an issue reported on a different package, but helpful to read
+    | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82
+    |
+    */
+    disableAndroid: true,
+  },
+  /*
+  |--------------------------------------------------------------------------
+  | X-XSS-Protection
+  |--------------------------------------------------------------------------
+  |
+  | X-XSS Protection saves from applications from XSS attacks. It is adopted
+  | by IE and later followed by some other browsers.
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+  |
+  */
+  xss: {
+    enabled: true,
+    enableOnOldIE: false,
+  },
+  /*
+  |--------------------------------------------------------------------------
+  | Iframe Options
+  |--------------------------------------------------------------------------
+  |
+  | xframe defines whether or not your website can be embedded inside an
+  | iframe. Choose from one of the following options.
+  | @available options
+  | DENY, SAMEORIGIN, ALLOW-FROM http://example.com
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  */
+  xframe: 'DENY',
+  /*
+  |--------------------------------------------------------------------------
+  | No Sniff
+  |--------------------------------------------------------------------------
+  |
+  | Browsers have a habit of sniffing content-type of a response. Which means
+  | files with .txt extension containing Javascript code will be executed as
+  | Javascript. You can disable this behavior by setting nosniff to false.
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  |
+  */
+  nosniff: true,
+  /*
+  |--------------------------------------------------------------------------
+  | No Open
+  |--------------------------------------------------------------------------
+  |
+  | IE users can execute webpages in the context of your website, which is
+  | a serious security risk. Below option will manage this for you.
+  |
+  */
+  noopen: true,
+  /*
+  |--------------------------------------------------------------------------
+  | CSRF Protection
+  |--------------------------------------------------------------------------
+  |
+  | CSRF Protection adds another layer of security by making sure, actionable
+  | routes does have a valid token to execute an action.
+  |
+  */
+  csrf: {
+    enable: true,
+    methods: ['POST', 'PUT', 'DELETE'],
+    filterUris: [],
+    cookieOptions: {
+      httpOnly: false,
+      sameSite: true,
+      path: '/',
+      maxAge: 7200,
+    },
+  },
+};

diff --git a/src/internal-server/config/shield.js b/src/internal-server/config/shield.js new file mode 100644 index 000000000..76f430e91 --- /dev/null +++ b/src/internal-server/config/shield.js
@@ -0,0 +1,143 @@
	1	module.exports = {
	2	/*
	3	\|--------------------------------------------------------------------------
	4	\| Content Security Policy
	5	\|--------------------------------------------------------------------------
	6	\|
	7	\| Content security policy filters out the origins not allowed to execute
	8	\| and load resources like scripts, styles and fonts. There are wide
	9	\| variety of options to choose from.
	10	*/
	11	csp: {
	12	/*
	13	\|--------------------------------------------------------------------------
	14	\| Directives
	15	\|--------------------------------------------------------------------------
	16	\|
	17	\| All directives are defined in camelCase and here is the list of
	18	\| available directives and their possible values.
	19	\|
	20	\| https://content-security-policy.com
	21	\|
	22	\| @example
	23	\| directives: {
	24	\| defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
	25	\| }
	26	\|
	27	*/
	28	directives: {
	29	},
	30	/*
	31	\|--------------------------------------------------------------------------
	32	\| Report only
	33	\|--------------------------------------------------------------------------
	34	\|
	35	\| Setting `reportOnly=true` will not block the scripts from running and
	36	\| instead report them to a URL.
	37	\|
	38	*/
	39	reportOnly: false,
	40	/*
	41	\|--------------------------------------------------------------------------
	42	\| Set all headers
	43	\|--------------------------------------------------------------------------
	44	\|
	45	\| Headers staring with `X` have been depreciated, since all major browsers
	46	\| supports the standard CSP header. So its better to disable deperciated
	47	\| headers, unless you want them to be set.
	48	\|
	49	*/
	50	setAllHeaders: false,
	51
	52	/*
	53	\|--------------------------------------------------------------------------
	54	\| Disable on android
	55	\|--------------------------------------------------------------------------
	56	\|
	57	\| Certain versions of android are buggy with CSP policy. So you can set
	58	\| this value to true, to disable it for Android versions with buggy
	59	\| behavior.
	60	\|
	61	\| Here is an issue reported on a different package, but helpful to read
	62	\| if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82
	63	\|
	64	*/
	65	disableAndroid: true,
	66	},
	67
	68	/*
	69	\|--------------------------------------------------------------------------
	70	\| X-XSS-Protection
	71	\|--------------------------------------------------------------------------
	72	\|
	73	\| X-XSS Protection saves from applications from XSS attacks. It is adopted
	74	\| by IE and later followed by some other browsers.
	75	\|
	76	\| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
	77	\|
	78	*/
	79	xss: {
	80	enabled: true,
	81	enableOnOldIE: false,
	82	},
	83
	84	/*
	85	\|--------------------------------------------------------------------------
	86	\| Iframe Options
	87	\|--------------------------------------------------------------------------
	88	\|
	89	\| xframe defines whether or not your website can be embedded inside an
	90	\| iframe. Choose from one of the following options.
	91	\| @available options
	92	\| DENY, SAMEORIGIN, ALLOW-FROM http://example.com
	93	\|
	94	\| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	95	*/
	96	xframe: 'DENY',
	97
	98	/*
	99	\|--------------------------------------------------------------------------
	100	\| No Sniff
	101	\|--------------------------------------------------------------------------
	102	\|
	103	\| Browsers have a habit of sniffing content-type of a response. Which means
	104	\| files with .txt extension containing Javascript code will be executed as
	105	\| Javascript. You can disable this behavior by setting nosniff to false.
	106	\|
	107	\| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	108	\|
	109	*/
	110	nosniff: true,
	111
	112	/*
	113	\|--------------------------------------------------------------------------
	114	\| No Open
	115	\|--------------------------------------------------------------------------
	116	\|
	117	\| IE users can execute webpages in the context of your website, which is
	118	\| a serious security risk. Below option will manage this for you.
	119	\|
	120	*/
	121	noopen: true,
	122
	123	/*
	124	\|--------------------------------------------------------------------------
	125	\| CSRF Protection
	126	\|--------------------------------------------------------------------------
	127	\|
	128	\| CSRF Protection adds another layer of security by making sure, actionable
	129	\| routes does have a valid token to execute an action.
	130	\|
	131	*/
	132	csrf: {
	133	enable: true,
	134	methods: ['POST', 'PUT', 'DELETE'],
	135	filterUris: [],
	136	cookieOptions: {
	137	httpOnly: false,
	138	sameSite: true,
	139	path: '/',
	140	maxAge: 7200,
	141	},
	142	},
	143	};