diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/session.js | 99 | ||||
-rw-r--r-- | config/shield.js | 145 |
2 files changed, 244 insertions, 0 deletions
diff --git a/config/session.js b/config/session.js new file mode 100644 index 0000000..f49b9b7 --- /dev/null +++ b/config/session.js | |||
@@ -0,0 +1,99 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | const Env = use('Env') | ||
4 | |||
5 | module.exports = { | ||
6 | /* | ||
7 | |-------------------------------------------------------------------------- | ||
8 | | Session Driver | ||
9 | |-------------------------------------------------------------------------- | ||
10 | | | ||
11 | | The session driver to be used for storing session values. It can be | ||
12 | | cookie, file or redis. | ||
13 | | | ||
14 | | For `redis` driver, make sure to install and register `@adonisjs/redis` | ||
15 | | | ||
16 | */ | ||
17 | driver: Env.get('SESSION_DRIVER', 'cookie'), | ||
18 | |||
19 | /* | ||
20 | |-------------------------------------------------------------------------- | ||
21 | | Cookie Name | ||
22 | |-------------------------------------------------------------------------- | ||
23 | | | ||
24 | | The name of the cookie to be used for saving session id. Session ids | ||
25 | | are signed and encrypted. | ||
26 | | | ||
27 | */ | ||
28 | cookieName: 'adonis-session', | ||
29 | |||
30 | /* | ||
31 | |-------------------------------------------------------------------------- | ||
32 | | Clear session when browser closes | ||
33 | |-------------------------------------------------------------------------- | ||
34 | | | ||
35 | | If this value is true, the session cookie will be temporary and will be | ||
36 | | removed when browser closes. | ||
37 | | | ||
38 | */ | ||
39 | clearWithBrowser: true, | ||
40 | |||
41 | /* | ||
42 | |-------------------------------------------------------------------------- | ||
43 | | Session age | ||
44 | |-------------------------------------------------------------------------- | ||
45 | | | ||
46 | | This value is only used when `clearWithBrowser` is set to false. The | ||
47 | | age must be a valid https://npmjs.org/package/ms string or should | ||
48 | | be in milliseconds. | ||
49 | | | ||
50 | | Valid values are: | ||
51 | | '2h', '10d', '5y', '2.5 hrs' | ||
52 | | | ||
53 | */ | ||
54 | age: '2h', | ||
55 | |||
56 | /* | ||
57 | |-------------------------------------------------------------------------- | ||
58 | | Cookie options | ||
59 | |-------------------------------------------------------------------------- | ||
60 | | | ||
61 | | Cookie options defines the options to be used for setting up session | ||
62 | | cookie | ||
63 | | | ||
64 | */ | ||
65 | cookie: { | ||
66 | httpOnly: true, | ||
67 | path: '/', | ||
68 | sameSite: false | ||
69 | }, | ||
70 | |||
71 | /* | ||
72 | |-------------------------------------------------------------------------- | ||
73 | | Sessions location | ||
74 | |-------------------------------------------------------------------------- | ||
75 | | | ||
76 | | If driver is set to file, we need to define the relative location from | ||
77 | | the temporary path or absolute url to any location. | ||
78 | | | ||
79 | */ | ||
80 | file: { | ||
81 | location: 'sessions' | ||
82 | }, | ||
83 | |||
84 | /* | ||
85 | |-------------------------------------------------------------------------- | ||
86 | | Redis config | ||
87 | |-------------------------------------------------------------------------- | ||
88 | | | ||
89 | | The configuration for the redis driver. | ||
90 | | | ||
91 | */ | ||
92 | redis: { | ||
93 | host: '127.0.0.1', | ||
94 | port: 6379, | ||
95 | password: null, | ||
96 | db: 0, | ||
97 | keyPrefix: '' | ||
98 | } | ||
99 | } | ||
diff --git a/config/shield.js b/config/shield.js new file mode 100644 index 0000000..3d4526a --- /dev/null +++ b/config/shield.js | |||
@@ -0,0 +1,145 @@ | |||
1 | 'use strict' | ||
2 | |||
3 | module.exports = { | ||
4 | /* | ||
5 | |-------------------------------------------------------------------------- | ||
6 | | Content Security Policy | ||
7 | |-------------------------------------------------------------------------- | ||
8 | | | ||
9 | | Content security policy filters out the origins not allowed to execute | ||
10 | | and load resources like scripts, styles and fonts. There are wide | ||
11 | | variety of options to choose from. | ||
12 | */ | ||
13 | csp: { | ||
14 | /* | ||
15 | |-------------------------------------------------------------------------- | ||
16 | | Directives | ||
17 | |-------------------------------------------------------------------------- | ||
18 | | | ||
19 | | All directives are defined in camelCase and here is the list of | ||
20 | | available directives and their possible values. | ||
21 | | | ||
22 | | https://content-security-policy.com | ||
23 | | | ||
24 | | @example | ||
25 | | directives: { | ||
26 | | defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] | ||
27 | | } | ||
28 | | | ||
29 | */ | ||
30 | directives: { | ||
31 | }, | ||
32 | /* | ||
33 | |-------------------------------------------------------------------------- | ||
34 | | Report only | ||
35 | |-------------------------------------------------------------------------- | ||
36 | | | ||
37 | | Setting `reportOnly=true` will not block the scripts from running and | ||
38 | | instead report them to a URL. | ||
39 | | | ||
40 | */ | ||
41 | reportOnly: false, | ||
42 | /* | ||
43 | |-------------------------------------------------------------------------- | ||
44 | | Set all headers | ||
45 | |-------------------------------------------------------------------------- | ||
46 | | | ||
47 | | Headers staring with `X` have been depreciated, since all major browsers | ||
48 | | supports the standard CSP header. So its better to disable deperciated | ||
49 | | headers, unless you want them to be set. | ||
50 | | | ||
51 | */ | ||
52 | setAllHeaders: false, | ||
53 | |||
54 | /* | ||
55 | |-------------------------------------------------------------------------- | ||
56 | | Disable on android | ||
57 | |-------------------------------------------------------------------------- | ||
58 | | | ||
59 | | Certain versions of android are buggy with CSP policy. So you can set | ||
60 | | this value to true, to disable it for Android versions with buggy | ||
61 | | behavior. | ||
62 | | | ||
63 | | Here is an issue reported on a different package, but helpful to read | ||
64 | | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82 | ||
65 | | | ||
66 | */ | ||
67 | disableAndroid: true | ||
68 | }, | ||
69 | |||
70 | /* | ||
71 | |-------------------------------------------------------------------------- | ||
72 | | X-XSS-Protection | ||
73 | |-------------------------------------------------------------------------- | ||
74 | | | ||
75 | | X-XSS Protection saves from applications from XSS attacks. It is adopted | ||
76 | | by IE and later followed by some other browsers. | ||
77 | | | ||
78 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | ||
79 | | | ||
80 | */ | ||
81 | xss: { | ||
82 | enabled: true, | ||
83 | enableOnOldIE: false | ||
84 | }, | ||
85 | |||
86 | /* | ||
87 | |-------------------------------------------------------------------------- | ||
88 | | Iframe Options | ||
89 | |-------------------------------------------------------------------------- | ||
90 | | | ||
91 | | xframe defines whether or not your website can be embedded inside an | ||
92 | | iframe. Choose from one of the following options. | ||
93 | | @available options | ||
94 | | DENY, SAMEORIGIN, ALLOW-FROM http://example.com | ||
95 | | | ||
96 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
97 | */ | ||
98 | xframe: 'DENY', | ||
99 | |||
100 | /* | ||
101 | |-------------------------------------------------------------------------- | ||
102 | | No Sniff | ||
103 | |-------------------------------------------------------------------------- | ||
104 | | | ||
105 | | Browsers have a habit of sniffing content-type of a response. Which means | ||
106 | | files with .txt extension containing Javascript code will be executed as | ||
107 | | Javascript. You can disable this behavior by setting nosniff to false. | ||
108 | | | ||
109 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
110 | | | ||
111 | */ | ||
112 | nosniff: true, | ||
113 | |||
114 | /* | ||
115 | |-------------------------------------------------------------------------- | ||
116 | | No Open | ||
117 | |-------------------------------------------------------------------------- | ||
118 | | | ||
119 | | IE users can execute webpages in the context of your website, which is | ||
120 | | a serious security risk. Below option will manage this for you. | ||
121 | | | ||
122 | */ | ||
123 | noopen: true, | ||
124 | |||
125 | /* | ||
126 | |-------------------------------------------------------------------------- | ||
127 | | CSRF Protection | ||
128 | |-------------------------------------------------------------------------- | ||
129 | | | ||
130 | | CSRF Protection adds another layer of security by making sure, actionable | ||
131 | | routes does have a valid token to execute an action. | ||
132 | | | ||
133 | */ | ||
134 | csrf: { | ||
135 | enable: true, | ||
136 | methods: ['POST', 'PUT', 'DELETE'], | ||
137 | filterUris: [], | ||
138 | cookieOptions: { | ||
139 | httpOnly: false, | ||
140 | sameSite: true, | ||
141 | path: '/', | ||
142 | maxAge: 7200 | ||
143 | } | ||
144 | } | ||
145 | } | ||