mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-31 05:59:26 +02:00
3ddbe731a5
- CORS: restrict origin from wildcard '*' to app URL from env (prevents cross-origin requests from arbitrary sites) - Sessions: enable @adonisjs/session with cookie store and httpOnly/secure cookie flags; uncomment session middleware in kernel.ts - CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN cookie mechanism compatible with Inertia.js/Axios; exempts /api/health and SSE transmit endpoints - CSP: enable Content Security Policy with restrictive directives (no object-src, no frame-src, self-only script/style/connect/font) - HSTS: enable HTTP Strict Transport Security in production only - Path traversal: tighten filenameParamValidator to block /, \, .., and shell special characters; reduce max length from 4096 to 255 - env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6
21 lines
502 B
TypeScript
21 lines
502 B
TypeScript
import env from '#start/env'
|
|
import { defineConfig } from '@adonisjs/cors'
|
|
|
|
/**
|
|
* Configuration options to tweak the CORS policy. The following
|
|
* options are documented on the official documentation website.
|
|
*
|
|
* https://docs.adonisjs.com/guides/security/cors
|
|
*/
|
|
const corsConfig = defineConfig({
|
|
enabled: true,
|
|
origin: [env.get('URL')],
|
|
methods: ['GET', 'HEAD', 'POST', 'PUT', 'DELETE'],
|
|
headers: true,
|
|
exposeHeaders: [],
|
|
credentials: true,
|
|
maxAge: 90,
|
|
})
|
|
|
|
export default corsConfig
|