1 files changed, 145 insertions, 0 deletions
diff --git a/config/shield.js b/config/shield.js
new file mode 100644
index 0000000..3d4526a
--- /dev/null
+++ b/config/shield.js
@@ -0,0 +1,145 @@
+'use strict'
+module.exports = {
+  /*
+  |--------------------------------------------------------------------------
+  | Content Security Policy
+  |--------------------------------------------------------------------------
+  |
+  | Content security policy filters out the origins not allowed to execute
+  | and load resources like scripts, styles and fonts. There are wide
+  | variety of options to choose from.
+  */
+  csp: {
+    /*
+    |--------------------------------------------------------------------------
+    | Directives
+    |--------------------------------------------------------------------------
+    |
+    | All directives are defined in camelCase and here is the list of
+    | available directives and their possible values.
+    |
+    | https://content-security-policy.com
+    |
+    | @example
+    | directives: {
+    |   defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
+    | }
+    |
+    */
+    directives: {
+    },
+    /*
+    |--------------------------------------------------------------------------
+    | Report only
+    |--------------------------------------------------------------------------
+    |
+    | Setting `reportOnly=true` will not block the scripts from running and
+    | instead report them to a URL.
+    |
+    */
+    reportOnly: false,
+    /*
+    |--------------------------------------------------------------------------
+    | Set all headers
+    |--------------------------------------------------------------------------
+    |
+    | Headers staring with `X` have been depreciated, since all major browsers
+    | supports the standard CSP header. So its better to disable deperciated
+    | headers, unless you want them to be set.
+    |
+    */
+    setAllHeaders: false,
+    /*
+    |--------------------------------------------------------------------------
+    | Disable on android
+    |--------------------------------------------------------------------------
+    |
+    | Certain versions of android are buggy with CSP policy. So you can set
+    | this value to true, to disable it for Android versions with buggy
+    | behavior.
+    |
+    | Here is an issue reported on a different package, but helpful to read
+    | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82
+    |
+    */
+    disableAndroid: true
+  },
+  /*
+  |--------------------------------------------------------------------------
+  | X-XSS-Protection
+  |--------------------------------------------------------------------------
+  |
+  | X-XSS Protection saves from applications from XSS attacks. It is adopted
+  | by IE and later followed by some other browsers.
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+  |
+  */
+  xss: {
+    enabled: true,
+    enableOnOldIE: false
+  },
+  /*
+  |--------------------------------------------------------------------------
+  | Iframe Options
+  |--------------------------------------------------------------------------
+  |
+  | xframe defines whether or not your website can be embedded inside an
+  | iframe. Choose from one of the following options.
+  | @available options
+  | DENY, SAMEORIGIN, ALLOW-FROM http://example.com
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  */
+  xframe: 'DENY',
+  /*
+  |--------------------------------------------------------------------------
+  | No Sniff
+  |--------------------------------------------------------------------------
+  |
+  | Browsers have a habit of sniffing content-type of a response. Which means
+  | files with .txt extension containing Javascript code will be executed as
+  | Javascript. You can disable this behavior by setting nosniff to false.
+  |
+  | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  |
+  */
+  nosniff: true,
+  /*
+  |--------------------------------------------------------------------------
+  | No Open
+  |--------------------------------------------------------------------------
+  |
+  | IE users can execute webpages in the context of your website, which is
+  | a serious security risk. Below option will manage this for you.
+  |
+  */
+  noopen: true,
+  /*
+  |--------------------------------------------------------------------------
+  | CSRF Protection
+  |--------------------------------------------------------------------------
+  |
+  | CSRF Protection adds another layer of security by making sure, actionable
+  | routes does have a valid token to execute an action.
+  |
+  */
+  csrf: {
+    enable: true,
+    methods: ['POST', 'PUT', 'DELETE'],
+    filterUris: [],
+    cookieOptions: {
+      httpOnly: false,
+      sameSite: true,
+      path: '/',
+      maxAge: 7200
+    }
+  }
+}

diff --git a/config/shield.js b/config/shield.js new file mode 100644 index 0000000..3d4526a --- /dev/null +++ b/config/shield.js
@@ -0,0 +1,145 @@
	1	'use strict'
	2
	3	module.exports = {
	4	/*
	5	\|--------------------------------------------------------------------------
	6	\| Content Security Policy
	7	\|--------------------------------------------------------------------------
	8	\|
	9	\| Content security policy filters out the origins not allowed to execute
	10	\| and load resources like scripts, styles and fonts. There are wide
	11	\| variety of options to choose from.
	12	*/
	13	csp: {
	14	/*
	15	\|--------------------------------------------------------------------------
	16	\| Directives
	17	\|--------------------------------------------------------------------------
	18	\|
	19	\| All directives are defined in camelCase and here is the list of
	20	\| available directives and their possible values.
	21	\|
	22	\| https://content-security-policy.com
	23	\|
	24	\| @example
	25	\| directives: {
	26	\| defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
	27	\| }
	28	\|
	29	*/
	30	directives: {
	31	},
	32	/*
	33	\|--------------------------------------------------------------------------
	34	\| Report only
	35	\|--------------------------------------------------------------------------
	36	\|
	37	\| Setting `reportOnly=true` will not block the scripts from running and
	38	\| instead report them to a URL.
	39	\|
	40	*/
	41	reportOnly: false,
	42	/*
	43	\|--------------------------------------------------------------------------
	44	\| Set all headers
	45	\|--------------------------------------------------------------------------
	46	\|
	47	\| Headers staring with `X` have been depreciated, since all major browsers
	48	\| supports the standard CSP header. So its better to disable deperciated
	49	\| headers, unless you want them to be set.
	50	\|
	51	*/
	52	setAllHeaders: false,
	53
	54	/*
	55	\|--------------------------------------------------------------------------
	56	\| Disable on android
	57	\|--------------------------------------------------------------------------
	58	\|
	59	\| Certain versions of android are buggy with CSP policy. So you can set
	60	\| this value to true, to disable it for Android versions with buggy
	61	\| behavior.
	62	\|
	63	\| Here is an issue reported on a different package, but helpful to read
	64	\| if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82
	65	\|
	66	*/
	67	disableAndroid: true
	68	},
	69
	70	/*
	71	\|--------------------------------------------------------------------------
	72	\| X-XSS-Protection
	73	\|--------------------------------------------------------------------------
	74	\|
	75	\| X-XSS Protection saves from applications from XSS attacks. It is adopted
	76	\| by IE and later followed by some other browsers.
	77	\|
	78	\| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
	79	\|
	80	*/
	81	xss: {
	82	enabled: true,
	83	enableOnOldIE: false
	84	},
	85
	86	/*
	87	\|--------------------------------------------------------------------------
	88	\| Iframe Options
	89	\|--------------------------------------------------------------------------
	90	\|
	91	\| xframe defines whether or not your website can be embedded inside an
	92	\| iframe. Choose from one of the following options.
	93	\| @available options
	94	\| DENY, SAMEORIGIN, ALLOW-FROM http://example.com
	95	\|
	96	\| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	97	*/
	98	xframe: 'DENY',
	99
	100	/*
	101	\|--------------------------------------------------------------------------
	102	\| No Sniff
	103	\|--------------------------------------------------------------------------
	104	\|
	105	\| Browsers have a habit of sniffing content-type of a response. Which means
	106	\| files with .txt extension containing Javascript code will be executed as
	107	\| Javascript. You can disable this behavior by setting nosniff to false.
	108	\|
	109	\| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	110	\|
	111	*/
	112	nosniff: true,
	113
	114	/*
	115	\|--------------------------------------------------------------------------
	116	\| No Open
	117	\|--------------------------------------------------------------------------
	118	\|
	119	\| IE users can execute webpages in the context of your website, which is
	120	\| a serious security risk. Below option will manage this for you.
	121	\|
	122	*/
	123	noopen: true,
	124
	125	/*
	126	\|--------------------------------------------------------------------------
	127	\| CSRF Protection
	128	\|--------------------------------------------------------------------------
	129	\|
	130	\| CSRF Protection adds another layer of security by making sure, actionable
	131	\| routes does have a valid token to execute an action.
	132	\|
	133	*/
	134	csrf: {
	135	enable: true,
	136	methods: ['POST', 'PUT', 'DELETE'],
	137	filterUris: [],
	138	cookieOptions: {
	139	httpOnly: false,
	140	sameSite: true,
	141	path: '/',
	142	maxAge: 7200
	143	}
	144	}
	145	}