diff options
author | vantezzen <properly@protonmail.com> | 2019-09-04 09:59:25 +0200 |
---|---|---|
committer | vantezzen <properly@protonmail.com> | 2019-09-04 09:59:25 +0200 |
commit | ea03e3766efffeb5e6b9bb90f566e64bf44640f3 (patch) | |
tree | 36f52de9554a08456949cc4a7fa5b40adc84ca94 /config/shield.js | |
parent | Better response when recipe creation is disabled (diff) | |
download | ferdium-server-ea03e3766efffeb5e6b9bb90f566e64bf44640f3.tar.gz ferdium-server-ea03e3766efffeb5e6b9bb90f566e64bf44640f3.tar.zst ferdium-server-ea03e3766efffeb5e6b9bb90f566e64bf44640f3.zip |
Add user dashboard
Diffstat (limited to 'config/shield.js')
-rw-r--r-- | config/shield.js | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/config/shield.js b/config/shield.js new file mode 100644 index 0000000..3d4526a --- /dev/null +++ b/config/shield.js | |||
@@ -0,0 +1,145 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | module.exports = { | ||
4 | /* | ||
5 | |-------------------------------------------------------------------------- | ||
6 | | Content Security Policy | ||
7 | |-------------------------------------------------------------------------- | ||
8 | | | ||
9 | | Content security policy filters out the origins not allowed to execute | ||
10 | | and load resources like scripts, styles and fonts. There are wide | ||
11 | | variety of options to choose from. | ||
12 | */ | ||
13 | csp: { | ||
14 | /* | ||
15 | |-------------------------------------------------------------------------- | ||
16 | | Directives | ||
17 | |-------------------------------------------------------------------------- | ||
18 | | | ||
19 | | All directives are defined in camelCase and here is the list of | ||
20 | | available directives and their possible values. | ||
21 | | | ||
22 | | https://content-security-policy.com | ||
23 | | | ||
24 | | @example | ||
25 | | directives: { | ||
26 | | defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] | ||
27 | | } | ||
28 | | | ||
29 | */ | ||
30 | directives: { | ||
31 | }, | ||
32 | /* | ||
33 | |-------------------------------------------------------------------------- | ||
34 | | Report only | ||
35 | |-------------------------------------------------------------------------- | ||
36 | | | ||
37 | | Setting `reportOnly=true` will not block the scripts from running and | ||
38 | | instead report them to a URL. | ||
39 | | | ||
40 | */ | ||
41 | reportOnly: false, | ||
42 | /* | ||
43 | |-------------------------------------------------------------------------- | ||
44 | | Set all headers | ||
45 | |-------------------------------------------------------------------------- | ||
46 | | | ||
47 | | Headers staring with `X` have been depreciated, since all major browsers | ||
48 | | supports the standard CSP header. So its better to disable deperciated | ||
49 | | headers, unless you want them to be set. | ||
50 | | | ||
51 | */ | ||
52 | setAllHeaders: false, | ||
53 | |||
54 | /* | ||
55 | |-------------------------------------------------------------------------- | ||
56 | | Disable on android | ||
57 | |-------------------------------------------------------------------------- | ||
58 | | | ||
59 | | Certain versions of android are buggy with CSP policy. So you can set | ||
60 | | this value to true, to disable it for Android versions with buggy | ||
61 | | behavior. | ||
62 | | | ||
63 | | Here is an issue reported on a different package, but helpful to read | ||
64 | | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82 | ||
65 | | | ||
66 | */ | ||
67 | disableAndroid: true | ||
68 | }, | ||
69 | |||
70 | /* | ||
71 | |-------------------------------------------------------------------------- | ||
72 | | X-XSS-Protection | ||
73 | |-------------------------------------------------------------------------- | ||
74 | | | ||
75 | | X-XSS Protection saves from applications from XSS attacks. It is adopted | ||
76 | | by IE and later followed by some other browsers. | ||
77 | | | ||
78 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | ||
79 | | | ||
80 | */ | ||
81 | xss: { | ||
82 | enabled: true, | ||
83 | enableOnOldIE: false | ||
84 | }, | ||
85 | |||
86 | /* | ||
87 | |-------------------------------------------------------------------------- | ||
88 | | Iframe Options | ||
89 | |-------------------------------------------------------------------------- | ||
90 | | | ||
91 | | xframe defines whether or not your website can be embedded inside an | ||
92 | | iframe. Choose from one of the following options. | ||
93 | | @available options | ||
94 | | DENY, SAMEORIGIN, ALLOW-FROM http://example.com | ||
95 | | | ||
96 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
97 | */ | ||
98 | xframe: 'DENY', | ||
99 | |||
100 | /* | ||
101 | |-------------------------------------------------------------------------- | ||
102 | | No Sniff | ||
103 | |-------------------------------------------------------------------------- | ||
104 | | | ||
105 | | Browsers have a habit of sniffing content-type of a response. Which means | ||
106 | | files with .txt extension containing Javascript code will be executed as | ||
107 | | Javascript. You can disable this behavior by setting nosniff to false. | ||
108 | | | ||
109 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
110 | | | ||
111 | */ | ||
112 | nosniff: true, | ||
113 | |||
114 | /* | ||
115 | |-------------------------------------------------------------------------- | ||
116 | | No Open | ||
117 | |-------------------------------------------------------------------------- | ||
118 | | | ||
119 | | IE users can execute webpages in the context of your website, which is | ||
120 | | a serious security risk. Below option will manage this for you. | ||
121 | | | ||
122 | */ | ||
123 | noopen: true, | ||
124 | |||
125 | /* | ||
126 | |-------------------------------------------------------------------------- | ||
127 | | CSRF Protection | ||
128 | |-------------------------------------------------------------------------- | ||
129 | | | ||
130 | | CSRF Protection adds another layer of security by making sure, actionable | ||
131 | | routes does have a valid token to execute an action. | ||
132 | | | ||
133 | */ | ||
134 | csrf: { | ||
135 | enable: true, | ||
136 | methods: ['POST', 'PUT', 'DELETE'], | ||
137 | filterUris: [], | ||
138 | cookieOptions: { | ||
139 | httpOnly: false, | ||
140 | sameSite: true, | ||
141 | path: '/', | ||
142 | maxAge: 7200 | ||
143 | } | ||
144 | } | ||
145 | } | ||