summaryrefslogtreecommitdiffstats
path: root/config/shield.ts
diff options
context:
space:
mode:
Diffstat (limited to 'config/shield.ts')
-rw-r--r--config/shield.ts363
1 files changed, 129 insertions, 234 deletions
diff --git a/config/shield.ts b/config/shield.ts
index 3566e1c..c88df25 100644
--- a/config/shield.ts
+++ b/config/shield.ts
@@ -1,243 +1,138 @@
1/** 1import env from '#start/env'
2 * Config source: https://git.io/Jvwvt 2import { defineConfig } from '@adonisjs/shield'
3 *
4 * Feel free to let us know via PR, if you find something broken in this config
5 * file.
6 */
7 3
8import Env from '@ioc:Adonis/Core/Env'; 4export default defineConfig({
9import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'; 5 csp: {
6 /*
7 |--------------------------------------------------------------------------
8 | Enable/disable CSP
9 |--------------------------------------------------------------------------
10 |
11 | The CSP rules are disabled by default for seamless onboarding.
12 |
13 */
14 enabled: false,
10 15
11/* 16 /*
12|-------------------------------------------------------------------------- 17 |--------------------------------------------------------------------------
13| Content Security Policy 18 | Directives
14|-------------------------------------------------------------------------- 19 |--------------------------------------------------------------------------
15| 20 |
16| Content security policy filters out the origins not allowed to execute 21 | All directives are defined in camelCase and here is the list of
17| and load resources like scripts, styles and fonts. There are wide 22 | available directives and their possible values.
18| variety of options to choose from. 23 |
19*/ 24 | https://content-security-policy.com
20export const csp: ShieldConfig['csp'] = { 25 |
21 /* 26 | @example
22 |-------------------------------------------------------------------------- 27 | directives: {
23 | Enable/disable CSP 28 | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com']
24 |-------------------------------------------------------------------------- 29 | }
25 | 30 |
26 | The CSP rules are disabled by default for seamless onboarding. 31 */
27 | 32 directives: {},
28 */
29 enabled: false,
30 33
31 /* 34 /*
32 |-------------------------------------------------------------------------- 35 |--------------------------------------------------------------------------
33 | Directives 36 | Report only
34 |-------------------------------------------------------------------------- 37 |--------------------------------------------------------------------------
35 | 38 |
36 | All directives are defined in camelCase and here is the list of 39 | Setting `reportOnly=true` will not block the scripts from running and
37 | available directives and their possible values. 40 | instead report them to a URL.
38 | 41 |
39 | https://content-security-policy.com 42 */
40 | 43 reportOnly: false,
41 | @example
42 | directives: {
43 | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com']
44 | }
45 |
46 */
47 directives: {},
48
49 /*
50 |--------------------------------------------------------------------------
51 | Report only
52 |--------------------------------------------------------------------------
53 |
54 | Setting `reportOnly=true` will not block the scripts from running and
55 | instead report them to a URL.
56 |
57 */
58 reportOnly: false,
59};
60
61/*
62|--------------------------------------------------------------------------
63| CSRF Protection
64|--------------------------------------------------------------------------
65|
66| CSRF Protection adds another layer of security by making sure, actionable
67| routes does have a valid token to execute an action.
68|
69*/
70export const csrf: ShieldConfig['csrf'] = {
71 /*
72 |--------------------------------------------------------------------------
73 | Enable/Disable CSRF
74 |--------------------------------------------------------------------------
75 */
76 enabled: Env.get('NODE_ENV') === 'production',
77
78 /*
79 |--------------------------------------------------------------------------
80 | Routes to Ignore
81 |--------------------------------------------------------------------------
82 |
83 | Define an array of route patterns that you want to ignore from CSRF
84 | validation. Make sure the route patterns are started with a leading
85 | slash. Example:
86 |
87 | `/foo/bar`
88 |
89 | Also you can define a function that is evaluated on every HTTP Request.
90 | ```
91 | exceptRoutes: ({ request }) => request.url().includes('/api')
92 | ```
93 |
94 */
95 exceptRoutes: ctx => {
96 // ignore all routes starting with /v1/ (api)
97 return (
98 ctx.request.url().includes('/v1/') ||
99 ctx.request.url().includes('/import')
100 );
101 }, 44 },
45 csrf: {
46 /*
47 |--------------------------------------------------------------------------
48 | Enable/Disable CSRF
49 |--------------------------------------------------------------------------
50 */
51 enabled: env.get('NODE_ENV') === 'production',
102 52
103 /* 53 /*
104 |-------------------------------------------------------------------------- 54 |--------------------------------------------------------------------------
105 | Enable Sharing Token Via Cookie 55 | Routes to Ignore
106 |-------------------------------------------------------------------------- 56 |--------------------------------------------------------------------------
107 | 57 |
108 | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` 58 | Define an array of route patterns that you want to ignore from CSRF
109 | cookie that frontend frameworks can read and return back as a 59 | validation. Make sure the route patterns are started with a leading
110 | `X-XSRF-TOKEN` header. 60 | slash. Example:
111 | 61 |
112 | The cookie has `httpOnly` flag set to false, so it is little insecure and 62 | `/foo/bar`
113 | can be turned off when you are not using a frontend framework making 63 |
114 | AJAX requests. 64 | Also you can define a function that is evaluated on every HTTP Request.
115 | 65 | ```
116 */ 66 | exceptRoutes: ({ request }) => request.url().includes('/api')
117 enableXsrfCookie: true, 67 | ```
118 68 |
119 /* 69 */
120 |-------------------------------------------------------------------------- 70 exceptRoutes: (ctx) => {
121 | Methods to Validate 71 // ignore all routes starting with /v1/ (api)
122 |-------------------------------------------------------------------------- 72 return ctx.request.url().includes('/v1/') || ctx.request.url().includes('/import')
123 | 73 },
124 | Define an array of HTTP methods to be validated for a valid CSRF token.
125 |
126 */
127 methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
128};
129
130/*
131|--------------------------------------------------------------------------
132| DNS Prefetching
133|--------------------------------------------------------------------------
134|
135| DNS prefetching allows browsers to proactively perform domain name
136| resolution in background.
137|
138| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
139|
140*/
141export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = {
142 /*
143 |--------------------------------------------------------------------------
144 | Enable/disable this feature
145 |--------------------------------------------------------------------------
146 */
147 enabled: true,
148 74
149 /* 75 /*
150 |-------------------------------------------------------------------------- 76 |--------------------------------------------------------------------------
151 | Allow or Dis-Allow Explicitly 77 | Enable Sharing Token Via Cookie
152 |-------------------------------------------------------------------------- 78 |--------------------------------------------------------------------------
153 | 79 |
154 | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However 80 | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN`
155 | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. 81 | cookie that frontend frameworks can read and return back as a
156 | 82 | `X-XSRF-TOKEN` header.
157 | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` 83 |
158 | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` 84 | The cookie has `httpOnly` flag set to false, so it is little insecure and
159 | 85 | can be turned off when you are not using a frontend framework making
160 */ 86 | AJAX requests.
161 allow: true, 87 |
162}; 88 */
89 enableXsrfCookie: true,
163 90
164/* 91 /*
165|-------------------------------------------------------------------------- 92 |--------------------------------------------------------------------------
166| Iframe Options 93 | Methods to Validate
167|-------------------------------------------------------------------------- 94 |--------------------------------------------------------------------------
168| 95 |
169| xFrame defines whether or not your website can be embedded inside an 96 | Define an array of HTTP methods to be validated for a valid CSRF token.
170| iframe. Choose from one of the following options. 97 |
171| 98 */
172| - DENY 99 methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
173| - SAMEORIGIN 100 },
174| - ALLOW-FROM http://example.com 101 hsts: {
175| 102 enabled: true,
176| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 103 /*
177*/ 104 |--------------------------------------------------------------------------
178export const xFrame: ShieldConfig['xFrame'] = { 105 | Max Age
179 enabled: true, 106 |--------------------------------------------------------------------------
180 action: 'DENY', 107 |
181}; 108 | Control, how long the browser should remember that a site is only to be
182 109 | accessed using HTTPS.
183/* 110 |
184|-------------------------------------------------------------------------- 111 */
185| Http Strict Transport Security 112 maxAge: '180 days',
186|--------------------------------------------------------------------------
187|
188| A security to ensure that a browser always makes a connection over
189| HTTPS.
190|
191| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
192|
193*/
194export const hsts: ShieldConfig['hsts'] = {
195 enabled: true,
196 /*
197 |--------------------------------------------------------------------------
198 | Max Age
199 |--------------------------------------------------------------------------
200 |
201 | Control, how long the browser should remember that a site is only to be
202 | accessed using HTTPS.
203 |
204 */
205 maxAge: '180 days',
206
207 /*
208 |--------------------------------------------------------------------------
209 | Include Subdomains
210 |--------------------------------------------------------------------------
211 |
212 | Apply rules on the subdomains as well.
213 |
214 */
215 includeSubDomains: true,
216 113
217 /* 114 /*
218 |-------------------------------------------------------------------------- 115 |--------------------------------------------------------------------------
219 | Preloading 116 | Include Subdomains
220 |-------------------------------------------------------------------------- 117 |--------------------------------------------------------------------------
221 | 118 |
222 | Google maintains a service to register your domain and it will preload 119 | Apply rules on the subdomains as well.
223 | the HSTS policy. Learn more https://hstspreload.org/ 120 |
224 | 121 */
225 */ 122 includeSubDomains: true,
226 preload: false,
227};
228 123
229/* 124 /*
230|-------------------------------------------------------------------------- 125 |--------------------------------------------------------------------------
231| No Sniff 126 | Preloading
232|-------------------------------------------------------------------------- 127 |--------------------------------------------------------------------------
233| 128 |
234| Browsers have a habit of sniffing content-type of a response. Which means 129 | Google maintains a service to register your domain and it will preload
235| files with .txt extension containing Javascript code will be executed as 130 | the HSTS policy. Learn more https://hstspreload.org/
236| Javascript. You can disable this behavior by setting nosniff to false. 131 |
237| 132 */
238| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options 133 preload: false,
239| 134 },
240*/ 135 contentTypeSniffing: {
241export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { 136 enabled: true,
242 enabled: true, 137 },
243}; 138})
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-27 11:34:32 +0000