-
-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add shield default config and adonisjs instructions
- Loading branch information
1 parent
dcc8828
commit 376767e
Showing
3 changed files
with
313 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,285 @@ | ||
/** | ||
* Config source: https://git.io/JesV9 | ||
* | ||
* Feel free to let us know via PR, if you find something broken in this config | ||
* file. | ||
*/ | ||
|
||
import { ShieldConfig } from '@ioc:Adonis/Addons/Shield' | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Content Security Policy | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Content security policy filters out the origins not allowed to execute | ||
| and load resources like scripts, styles and fonts. There are wide | ||
| variety of options to choose from. | ||
*/ | ||
export const csp: ShieldConfig['csp'] = { | ||
/* | ||
|-------------------------------------------------------------------------- | ||
| Enable/disable CSP | ||
|-------------------------------------------------------------------------- | ||
*/ | ||
enabled: true, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Directives | ||
|-------------------------------------------------------------------------- | ||
| | ||
| All directives are defined in camelCase and here is the list of | ||
| available directives and their possible values. | ||
| | ||
| https://content-security-policy.com | ||
| | ||
| @example | ||
| directives: { | ||
| defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] | ||
| } | ||
| | ||
*/ | ||
directives: { | ||
}, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Loose Mode | ||
|-------------------------------------------------------------------------- | ||
| | ||
| This module will detect common mistakes in your directives and throw | ||
| errors if it finds any. To disable this, set the following following | ||
| to `true`. | ||
| | ||
*/ | ||
loose: false, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Report only | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Setting `reportOnly=true` will not block the scripts from running and | ||
| instead report them to a URL. | ||
| | ||
*/ | ||
reportOnly: false, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Set all headers | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Headers staring with `X` have been depreciated, since all major browsers | ||
| supports the standard CSP header. So its better to disable deperciated | ||
| headers, unless you want them to be set. | ||
| | ||
*/ | ||
setAllHeaders: false, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Disable on android | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Certain versions of android are buggy with CSP policy. So you can set | ||
| this value to true, to disable it for Android versions with buggy | ||
| behavior. | ||
| | ||
| Here is an issue reported on a different package, but helpful to read | ||
| if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82 | ||
| | ||
*/ | ||
disableAndroid: true, | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| CSRF Protection | ||
|-------------------------------------------------------------------------- | ||
| | ||
| CSRF Protection adds another layer of security by making sure, actionable | ||
| routes does have a valid token to execute an action. | ||
| | ||
*/ | ||
export const csrf: ShieldConfig['csrf'] = { | ||
/* | ||
|-------------------------------------------------------------------------- | ||
| Enable/Disable CSRF | ||
|-------------------------------------------------------------------------- | ||
*/ | ||
enabled: true, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Routes to Ignore | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Define an array of route patterns that you want to ignore from CSRF | ||
| validation. Make sure the route patterns are started with a leading | ||
| slash. Example: | ||
| | ||
| `/foo/bar` | ||
| | ||
*/ | ||
exceptRoutes: [], | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Methods to Validate | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Define an array of HTTP methods to be validated for a valid CSRF token. | ||
| | ||
*/ | ||
methods: ['POST', 'PUT', 'PATCH', 'DELETE'], | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| No Open | ||
|-------------------------------------------------------------------------- | ||
| | ||
| This will prevent old versions of Internet Explorer from allowing | ||
| malicious HTML downloads to be executed in the context of your | ||
| site. | ||
| | ||
| By default, the security header is disabled, since not many websites are | ||
| running on ie8 these days. | ||
| | ||
*/ | ||
export const noOpen: ShieldConfig['noOpen'] = { | ||
enabled: false, | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| DNS Prefetching | ||
|-------------------------------------------------------------------------- | ||
| | ||
| DNS prefetching allows browsers to proactively perform domain name | ||
| resolution in background. | ||
| | ||
| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control | ||
| | ||
*/ | ||
export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { | ||
/* | ||
|-------------------------------------------------------------------------- | ||
| Enable/disable this feature | ||
|-------------------------------------------------------------------------- | ||
*/ | ||
enabled: true, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Allow or Dis-Allow Explicitly | ||
|-------------------------------------------------------------------------- | ||
| | ||
| The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However | ||
| the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. | ||
| | ||
| - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` | ||
| - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` | ||
| | ||
*/ | ||
allow: true, | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Iframe Options | ||
|-------------------------------------------------------------------------- | ||
| | ||
| xFrame defines whether or not your website can be embedded inside an | ||
| iframe. Choose from one of the following options. | ||
| | ||
| - DENY | ||
| - SAMEORIGIN | ||
| - ALLOW-FROM http://example.com | ||
| | ||
| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
*/ | ||
export const xFrame: ShieldConfig['xFrame'] = { | ||
enabled: true, | ||
action: 'DENY', | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Http Strict Transport Security | ||
|-------------------------------------------------------------------------- | ||
| | ||
| A security to ensure that a browser always makes a connection over | ||
| HTTPS. | ||
| | ||
| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | ||
| | ||
*/ | ||
export const hsts: ShieldConfig['hsts'] = { | ||
enabled: true, | ||
/* | ||
|-------------------------------------------------------------------------- | ||
| Max Age | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Control, how long the browser should remember that a site is only to be | ||
| accessed using HTTPS. | ||
| | ||
*/ | ||
maxAge: '180 days', | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Include Subdomains | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Apply rules on the subdomains as well. | ||
| | ||
*/ | ||
includeSubDomains: true, | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| Preloading | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Google maintains a service to register your domain and it will preload | ||
| the HSTS policy. Learn more https://hstspreload.org/ | ||
| | ||
*/ | ||
preload: false, | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| No Sniff | ||
|-------------------------------------------------------------------------- | ||
| | ||
| Browsers have a habit of sniffing content-type of a response. Which means | ||
| files with .txt extension containing Javascript code will be executed as | ||
| Javascript. You can disable this behavior by setting nosniff to false. | ||
| | ||
| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
| | ||
*/ | ||
export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { | ||
enabled: true, | ||
} | ||
|
||
/* | ||
|-------------------------------------------------------------------------- | ||
| X-XSS-Protection | ||
|-------------------------------------------------------------------------- | ||
| | ||
| X-XSS Protection saves applications from XSS attacks. It was adopted | ||
| by IE and later followed by some other browsers. | ||
| | ||
| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | ||
*/ | ||
export const xss: ShieldConfig['xss'] = { | ||
enabled: true, | ||
enableOnOldIE: false, | ||
mode: 'block', | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters