diff options
Diffstat (limited to 'config/shield.ts')
-rw-r--r-- | config/shield.ts | 363 |
1 files changed, 129 insertions, 234 deletions
diff --git a/config/shield.ts b/config/shield.ts index 3566e1c..c88df25 100644 --- a/config/shield.ts +++ b/config/shield.ts | |||
@@ -1,243 +1,138 @@ | |||
1 | /** | 1 | import env from '#start/env' |
2 | * Config source: https://git.io/Jvwvt | 2 | import { defineConfig } from '@adonisjs/shield' |
3 | * | ||
4 | * Feel free to let us know via PR, if you find something broken in this config | ||
5 | * file. | ||
6 | */ | ||
7 | 3 | ||
8 | import Env from '@ioc:Adonis/Core/Env'; | 4 | export default defineConfig({ |
9 | import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'; | 5 | csp: { |
6 | /* | ||
7 | |-------------------------------------------------------------------------- | ||
8 | | Enable/disable CSP | ||
9 | |-------------------------------------------------------------------------- | ||
10 | | | ||
11 | | The CSP rules are disabled by default for seamless onboarding. | ||
12 | | | ||
13 | */ | ||
14 | enabled: false, | ||
10 | 15 | ||
11 | /* | 16 | /* |
12 | |-------------------------------------------------------------------------- | 17 | |-------------------------------------------------------------------------- |
13 | | Content Security Policy | 18 | | Directives |
14 | |-------------------------------------------------------------------------- | 19 | |-------------------------------------------------------------------------- |
15 | | | 20 | | |
16 | | Content security policy filters out the origins not allowed to execute | 21 | | All directives are defined in camelCase and here is the list of |
17 | | and load resources like scripts, styles and fonts. There are wide | 22 | | available directives and their possible values. |
18 | | variety of options to choose from. | 23 | | |
19 | */ | 24 | | https://content-security-policy.com |
20 | export const csp: ShieldConfig['csp'] = { | 25 | | |
21 | /* | 26 | | @example |
22 | |-------------------------------------------------------------------------- | 27 | | directives: { |
23 | | Enable/disable CSP | 28 | | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com'] |
24 | |-------------------------------------------------------------------------- | 29 | | } |
25 | | | 30 | | |
26 | | The CSP rules are disabled by default for seamless onboarding. | 31 | */ |
27 | | | 32 | directives: {}, |
28 | */ | ||
29 | enabled: false, | ||
30 | 33 | ||
31 | /* | 34 | /* |
32 | |-------------------------------------------------------------------------- | 35 | |-------------------------------------------------------------------------- |
33 | | Directives | 36 | | Report only |
34 | |-------------------------------------------------------------------------- | 37 | |-------------------------------------------------------------------------- |
35 | | | 38 | | |
36 | | All directives are defined in camelCase and here is the list of | 39 | | Setting `reportOnly=true` will not block the scripts from running and |
37 | | available directives and their possible values. | 40 | | instead report them to a URL. |
38 | | | 41 | | |
39 | | https://content-security-policy.com | 42 | */ |
40 | | | 43 | reportOnly: false, |
41 | | @example | ||
42 | | directives: { | ||
43 | | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com'] | ||
44 | | } | ||
45 | | | ||
46 | */ | ||
47 | directives: {}, | ||
48 | |||
49 | /* | ||
50 | |-------------------------------------------------------------------------- | ||
51 | | Report only | ||
52 | |-------------------------------------------------------------------------- | ||
53 | | | ||
54 | | Setting `reportOnly=true` will not block the scripts from running and | ||
55 | | instead report them to a URL. | ||
56 | | | ||
57 | */ | ||
58 | reportOnly: false, | ||
59 | }; | ||
60 | |||
61 | /* | ||
62 | |-------------------------------------------------------------------------- | ||
63 | | CSRF Protection | ||
64 | |-------------------------------------------------------------------------- | ||
65 | | | ||
66 | | CSRF Protection adds another layer of security by making sure, actionable | ||
67 | | routes does have a valid token to execute an action. | ||
68 | | | ||
69 | */ | ||
70 | export const csrf: ShieldConfig['csrf'] = { | ||
71 | /* | ||
72 | |-------------------------------------------------------------------------- | ||
73 | | Enable/Disable CSRF | ||
74 | |-------------------------------------------------------------------------- | ||
75 | */ | ||
76 | enabled: Env.get('NODE_ENV') === 'production', | ||
77 | |||
78 | /* | ||
79 | |-------------------------------------------------------------------------- | ||
80 | | Routes to Ignore | ||
81 | |-------------------------------------------------------------------------- | ||
82 | | | ||
83 | | Define an array of route patterns that you want to ignore from CSRF | ||
84 | | validation. Make sure the route patterns are started with a leading | ||
85 | | slash. Example: | ||
86 | | | ||
87 | | `/foo/bar` | ||
88 | | | ||
89 | | Also you can define a function that is evaluated on every HTTP Request. | ||
90 | | ``` | ||
91 | | exceptRoutes: ({ request }) => request.url().includes('/api') | ||
92 | | ``` | ||
93 | | | ||
94 | */ | ||
95 | exceptRoutes: ctx => { | ||
96 | // ignore all routes starting with /v1/ (api) | ||
97 | return ( | ||
98 | ctx.request.url().includes('/v1/') || | ||
99 | ctx.request.url().includes('/import') | ||
100 | ); | ||
101 | }, | 44 | }, |
45 | csrf: { | ||
46 | /* | ||
47 | |-------------------------------------------------------------------------- | ||
48 | | Enable/Disable CSRF | ||
49 | |-------------------------------------------------------------------------- | ||
50 | */ | ||
51 | enabled: env.get('NODE_ENV') === 'production', | ||
102 | 52 | ||
103 | /* | 53 | /* |
104 | |-------------------------------------------------------------------------- | 54 | |-------------------------------------------------------------------------- |
105 | | Enable Sharing Token Via Cookie | 55 | | Routes to Ignore |
106 | |-------------------------------------------------------------------------- | 56 | |-------------------------------------------------------------------------- |
107 | | | 57 | | |
108 | | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` | 58 | | Define an array of route patterns that you want to ignore from CSRF |
109 | | cookie that frontend frameworks can read and return back as a | 59 | | validation. Make sure the route patterns are started with a leading |
110 | | `X-XSRF-TOKEN` header. | 60 | | slash. Example: |
111 | | | 61 | | |
112 | | The cookie has `httpOnly` flag set to false, so it is little insecure and | 62 | | `/foo/bar` |
113 | | can be turned off when you are not using a frontend framework making | 63 | | |
114 | | AJAX requests. | 64 | | Also you can define a function that is evaluated on every HTTP Request. |
115 | | | 65 | | ``` |
116 | */ | 66 | | exceptRoutes: ({ request }) => request.url().includes('/api') |
117 | enableXsrfCookie: true, | 67 | | ``` |
118 | 68 | | | |
119 | /* | 69 | */ |
120 | |-------------------------------------------------------------------------- | 70 | exceptRoutes: (ctx) => { |
121 | | Methods to Validate | 71 | // ignore all routes starting with /v1/ (api) |
122 | |-------------------------------------------------------------------------- | 72 | return ctx.request.url().includes('/v1/') || ctx.request.url().includes('/import') |
123 | | | 73 | }, |
124 | | Define an array of HTTP methods to be validated for a valid CSRF token. | ||
125 | | | ||
126 | */ | ||
127 | methods: ['POST', 'PUT', 'PATCH', 'DELETE'], | ||
128 | }; | ||
129 | |||
130 | /* | ||
131 | |-------------------------------------------------------------------------- | ||
132 | | DNS Prefetching | ||
133 | |-------------------------------------------------------------------------- | ||
134 | | | ||
135 | | DNS prefetching allows browsers to proactively perform domain name | ||
136 | | resolution in background. | ||
137 | | | ||
138 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control | ||
139 | | | ||
140 | */ | ||
141 | export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { | ||
142 | /* | ||
143 | |-------------------------------------------------------------------------- | ||
144 | | Enable/disable this feature | ||
145 | |-------------------------------------------------------------------------- | ||
146 | */ | ||
147 | enabled: true, | ||
148 | 74 | ||
149 | /* | 75 | /* |
150 | |-------------------------------------------------------------------------- | 76 | |-------------------------------------------------------------------------- |
151 | | Allow or Dis-Allow Explicitly | 77 | | Enable Sharing Token Via Cookie |
152 | |-------------------------------------------------------------------------- | 78 | |-------------------------------------------------------------------------- |
153 | | | 79 | | |
154 | | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However | 80 | | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` |
155 | | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. | 81 | | cookie that frontend frameworks can read and return back as a |
156 | | | 82 | | `X-XSRF-TOKEN` header. |
157 | | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` | 83 | | |
158 | | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` | 84 | | The cookie has `httpOnly` flag set to false, so it is little insecure and |
159 | | | 85 | | can be turned off when you are not using a frontend framework making |
160 | */ | 86 | | AJAX requests. |
161 | allow: true, | 87 | | |
162 | }; | 88 | */ |
89 | enableXsrfCookie: true, | ||
163 | 90 | ||
164 | /* | 91 | /* |
165 | |-------------------------------------------------------------------------- | 92 | |-------------------------------------------------------------------------- |
166 | | Iframe Options | 93 | | Methods to Validate |
167 | |-------------------------------------------------------------------------- | 94 | |-------------------------------------------------------------------------- |
168 | | | 95 | | |
169 | | xFrame defines whether or not your website can be embedded inside an | 96 | | Define an array of HTTP methods to be validated for a valid CSRF token. |
170 | | iframe. Choose from one of the following options. | 97 | | |
171 | | | 98 | */ |
172 | | - DENY | 99 | methods: ['POST', 'PUT', 'PATCH', 'DELETE'], |
173 | | - SAMEORIGIN | 100 | }, |
174 | | - ALLOW-FROM http://example.com | 101 | hsts: { |
175 | | | 102 | enabled: true, |
176 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | 103 | /* |
177 | */ | 104 | |-------------------------------------------------------------------------- |
178 | export const xFrame: ShieldConfig['xFrame'] = { | 105 | | Max Age |
179 | enabled: true, | 106 | |-------------------------------------------------------------------------- |
180 | action: 'DENY', | 107 | | |
181 | }; | 108 | | Control, how long the browser should remember that a site is only to be |
182 | 109 | | accessed using HTTPS. | |
183 | /* | 110 | | |
184 | |-------------------------------------------------------------------------- | 111 | */ |
185 | | Http Strict Transport Security | 112 | maxAge: '180 days', |
186 | |-------------------------------------------------------------------------- | ||
187 | | | ||
188 | | A security to ensure that a browser always makes a connection over | ||
189 | | HTTPS. | ||
190 | | | ||
191 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | ||
192 | | | ||
193 | */ | ||
194 | export const hsts: ShieldConfig['hsts'] = { | ||
195 | enabled: true, | ||
196 | /* | ||
197 | |-------------------------------------------------------------------------- | ||
198 | | Max Age | ||
199 | |-------------------------------------------------------------------------- | ||
200 | | | ||
201 | | Control, how long the browser should remember that a site is only to be | ||
202 | | accessed using HTTPS. | ||
203 | | | ||
204 | */ | ||
205 | maxAge: '180 days', | ||
206 | |||
207 | /* | ||
208 | |-------------------------------------------------------------------------- | ||
209 | | Include Subdomains | ||
210 | |-------------------------------------------------------------------------- | ||
211 | | | ||
212 | | Apply rules on the subdomains as well. | ||
213 | | | ||
214 | */ | ||
215 | includeSubDomains: true, | ||
216 | 113 | ||
217 | /* | 114 | /* |
218 | |-------------------------------------------------------------------------- | 115 | |-------------------------------------------------------------------------- |
219 | | Preloading | 116 | | Include Subdomains |
220 | |-------------------------------------------------------------------------- | 117 | |-------------------------------------------------------------------------- |
221 | | | 118 | | |
222 | | Google maintains a service to register your domain and it will preload | 119 | | Apply rules on the subdomains as well. |
223 | | the HSTS policy. Learn more https://hstspreload.org/ | 120 | | |
224 | | | 121 | */ |
225 | */ | 122 | includeSubDomains: true, |
226 | preload: false, | ||
227 | }; | ||
228 | 123 | ||
229 | /* | 124 | /* |
230 | |-------------------------------------------------------------------------- | 125 | |-------------------------------------------------------------------------- |
231 | | No Sniff | 126 | | Preloading |
232 | |-------------------------------------------------------------------------- | 127 | |-------------------------------------------------------------------------- |
233 | | | 128 | | |
234 | | Browsers have a habit of sniffing content-type of a response. Which means | 129 | | Google maintains a service to register your domain and it will preload |
235 | | files with .txt extension containing Javascript code will be executed as | 130 | | the HSTS policy. Learn more https://hstspreload.org/ |
236 | | Javascript. You can disable this behavior by setting nosniff to false. | 131 | | |
237 | | | 132 | */ |
238 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | 133 | preload: false, |
239 | | | 134 | }, |
240 | */ | 135 | contentTypeSniffing: { |
241 | export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { | 136 | enabled: true, |
242 | enabled: true, | 137 | }, |
243 | }; | 138 | }) |