feat: add shield default config and adonisjs instructions

adonisjs · Mar 6, 2020 · 376767e · 376767e
1 parent dcc8828
commit 376767e
Show file tree

Hide file tree

Showing 3 changed files with 313 additions and 10 deletions.
diff --git a/package.json b/package.json
@@ -2,6 +2,15 @@
   "name": "@adonisjs/shield",
   "version": "1.0.8",
   "description": "Adonis shield is middleware to standard HTTP websites to protect themselves from common web attacks like xss, csp and csrf",
+  "main": "build/providers/ShieldProvider.js",
+  "files": [
+    "build/adonis-typings",
+    "build/providers",
+    "build/src",
+    "build/standalone.d.ts",
+    "build/standalone.js"
+  ],
+  "typings": "./build/adonis-typings/index.d.ts",
   "scripts": {
     "mrm": "mrm --preset=@adonisjs/mrm-preset",
     "pretest": "npm run lint",
@@ -21,16 +30,17 @@
     "csp"
   ],
   "peerDependencies": {
-    "@adonisjs/session": "^2.x.x"
+    "@adonisjs/session": "^2.0.0",
+    "@adonisjs/core": ">=5.0.0-preview"
   },
   "author": "virk",
   "license": "MIT",
   "devDependencies": {
-    "@adonisjs/core": "^5.0.0-preview.2",
+    "@adonisjs/core": "^5.0.0-preview.4",
     "@adonisjs/fold": "^6.3.4",
     "@adonisjs/mrm-preset": "^2.2.4",
     "@adonisjs/session": "^2.3.3",
-    "@adonisjs/view": "^1.0.10",
+    "@adonisjs/view": "^1.0.11",
     "@poppinss/dev-utils": "^1.0.4",
     "@types/csrf": "^1.3.2",
     "@types/node": "^13.7.7",
@@ -69,12 +79,6 @@
       ".ts"
     ]
   },
-  "main": "build/index.js",
-  "files": [
-    "build/src",
-    "build/index.d.ts",
-    "build/index.js"
-  ],
   "husky": {
     "hooks": {
       "pre-commit": "doctoc README.md --title='## Table of contents' && git add README.md",
@@ -85,5 +89,16 @@
     "commitizen": {
       "path": "cz-conventional-changelog"
     }
+  },
+  "adonisjs": {
+    "types": "@adonisjs/shield",
+    "providers": [
+      "@adonisjs/shield"
+    ],
+    "templates": {
+      "config": [
+        "shield.txt"
+      ]
+    }
   }
 }
diff --git a/templates/shield.txt b/templates/shield.txt
@@ -0,0 +1,285 @@
+/**
+ * Config source: https://git.io/JesV9
+ *
+ * Feel free to let us know via PR, if you find something broken in this config
+ * file.
+ */
+
+import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'
+
+/*
+|--------------------------------------------------------------------------
+| Content Security Policy
+|--------------------------------------------------------------------------
+|
+| Content security policy filters out the origins not allowed to execute
+| and load resources like scripts, styles and fonts. There are wide
+| variety of options to choose from.
+*/
+export const csp: ShieldConfig['csp'] = {
+  /*
+  |--------------------------------------------------------------------------
+  | Enable/disable CSP
+  |--------------------------------------------------------------------------
+  */
+  enabled: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Directives
+  |--------------------------------------------------------------------------
+  |
+  | All directives are defined in camelCase and here is the list of
+  | available directives and their possible values.
+  |
+  | https://content-security-policy.com
+  |
+  | @example
+  | directives: {
+  |   defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
+  | }
+  |
+  */
+  directives: {
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Loose Mode
+  |--------------------------------------------------------------------------
+  |
+  | This module will detect common mistakes in your directives and throw
+  | errors if it finds any. To disable this, set the following following
+  | to `true`.
+  |
+  */
+  loose: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Report only
+  |--------------------------------------------------------------------------
+  |
+  | Setting `reportOnly=true` will not block the scripts from running and
+  | instead report them to a URL.
+  |
+  */
+  reportOnly: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Set all headers
+  |--------------------------------------------------------------------------
+  |
+  | Headers staring with `X` have been depreciated, since all major browsers
+  | supports the standard CSP header. So its better to disable deperciated
+  | headers, unless you want them to be set.
+  |
+  */
+  setAllHeaders: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Disable on android
+  |--------------------------------------------------------------------------
+  |
+  | Certain versions of android are buggy with CSP policy. So you can set
+  | this value to true, to disable it for Android versions with buggy
+  | behavior.
+  |
+  | Here is an issue reported on a different package, but helpful to read
+  | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82
+  |
+  */
+  disableAndroid: true,
+}
+
+/*
+|--------------------------------------------------------------------------
+| CSRF Protection
+|--------------------------------------------------------------------------
+|
+| CSRF Protection adds another layer of security by making sure, actionable
+| routes does have a valid token to execute an action.
+|
+*/
+export const csrf: ShieldConfig['csrf'] = {
+  /*
+  |--------------------------------------------------------------------------
+  | Enable/Disable CSRF
+  |--------------------------------------------------------------------------
+  */
+  enabled: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Routes to Ignore
+  |--------------------------------------------------------------------------
+  |
+  | Define an array of route patterns that you want to ignore from CSRF
+  | validation. Make sure the route patterns are started with a leading
+  | slash. Example:
+  |
+  | `/foo/bar`
+  |
+  */
+  exceptRoutes: [],
+
+  /*
+  |--------------------------------------------------------------------------
+  | Methods to Validate
+  |--------------------------------------------------------------------------
+  |
+  | Define an array of HTTP methods to be validated for a valid CSRF token.
+  |
+  */
+  methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
+}
+
+/*
+|--------------------------------------------------------------------------
+| No Open
+|--------------------------------------------------------------------------
+|
+| This will prevent old versions of Internet Explorer from allowing
+| malicious HTML downloads to be executed in the context of your
+| site.
+|
+| By default, the security header is disabled, since not many websites are
+| running on ie8 these days.
+|
+*/
+export const noOpen: ShieldConfig['noOpen'] = {
+  enabled: false,
+}
+
+/*
+|--------------------------------------------------------------------------
+| DNS Prefetching
+|--------------------------------------------------------------------------
+|
+| DNS prefetching allows browsers to proactively perform domain name
+| resolution in background.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
+|
+*/
+export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = {
+  /*
+  |--------------------------------------------------------------------------
+  | Enable/disable this feature
+  |--------------------------------------------------------------------------
+  */
+  enabled: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Allow or Dis-Allow Explicitly
+  |--------------------------------------------------------------------------
+  |
+  | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However
+  | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header.
+  |
+  | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'`
+  | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'`
+  |
+  */
+  allow: true,
+}
+
+/*
+|--------------------------------------------------------------------------
+| Iframe Options
+|--------------------------------------------------------------------------
+|
+| xFrame defines whether or not your website can be embedded inside an
+| iframe. Choose from one of the following options.
+|
+| - DENY
+| - SAMEORIGIN
+| - ALLOW-FROM http://example.com
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+*/
+export const xFrame: ShieldConfig['xFrame'] = {
+  enabled: true,
+  action: 'DENY',
+}
+
+/*
+|--------------------------------------------------------------------------
+| Http Strict Transport Security
+|--------------------------------------------------------------------------
+|
+| A security to ensure that a browser always makes a connection over
+| HTTPS.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+|
+*/
+export const hsts: ShieldConfig['hsts'] = {
+  enabled: true,
+  /*
+  |--------------------------------------------------------------------------
+  | Max Age
+  |--------------------------------------------------------------------------
+  |
+  | Control, how long the browser should remember that a site is only to be
+  | accessed using HTTPS.
+  |
+  */
+  maxAge: '180 days',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Include Subdomains
+  |--------------------------------------------------------------------------
+  |
+  | Apply rules on the subdomains as well.
+  |
+  */
+  includeSubDomains: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Preloading
+  |--------------------------------------------------------------------------
+  |
+  | Google maintains a service to register your domain and it will preload
+  | the HSTS policy. Learn more https://hstspreload.org/
+  |
+  */
+  preload: false,
+}
+
+/*
+|--------------------------------------------------------------------------
+| No Sniff
+|--------------------------------------------------------------------------
+|
+| Browsers have a habit of sniffing content-type of a response. Which means
+| files with .txt extension containing Javascript code will be executed as
+| Javascript. You can disable this behavior by setting nosniff to false.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+|
+*/
+export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = {
+  enabled: true,
+}
+
+/*
+|--------------------------------------------------------------------------
+| X-XSS-Protection
+|--------------------------------------------------------------------------
+|
+| X-XSS Protection saves applications from XSS attacks. It was adopted
+| by IE and later followed by some other browsers.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+*/
+export const xss: ShieldConfig['xss'] = {
+  enabled: true,
+  enableOnOldIE: false,
+  mode: 'block',
+}
diff --git a/tsconfig.json b/tsconfig.json
@@ -4,5 +4,8 @@
     "./node_modules/@adonisjs/core/build/adonis-typings/index.d.ts",
     "./node_modules/@adonisjs/session/build/adonis-typings/index.d.ts",
     "./node_modules/@adonisjs/view/build/adonis-typings/index.d.ts"
-  ]
+  ],
+  "compilerOptions": {
+    "skipLibCheck": true
+  }
 }