github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-29 13:09:26 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
2d285bfbc7
project-nomad/admin/config/session.ts
Claude 3ddbe731a5
security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal 
- CORS: restrict origin from wildcard '*' to app URL from env (prevents
  cross-origin requests from arbitrary sites)
- Sessions: enable @adonisjs/session with cookie store and httpOnly/secure
  cookie flags; uncomment session middleware in kernel.ts
- CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN
  cookie mechanism compatible with Inertia.js/Axios; exempts /api/health
  and SSE transmit endpoints
- CSP: enable Content Security Policy with restrictive directives
  (no object-src, no frame-src, self-only script/style/connect/font)
- HSTS: enable HTTP Strict Transport Security in production only
- Path traversal: tighten filenameParamValidator to block /, \, ..,
  and shell special characters; reduce max length from 4096 to 255
- env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts

https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6
2026-03-22 21:11:18 +00:00

49 lines
1.0 KiB
TypeScript
Raw Blame History

import env from '#start/env'
import app from '@adonisjs/core/services/app'
import { defineConfig, stores } from '@adonisjs/session'
const sessionConfig = defineConfig({
enabled: true,
cookieName: 'nomad-session',
/**
* When set to true, the session id cookie will be deleted
* once the user closes the browser.
*/
clearWithBrowser: false,
/**
* Define how long to keep the session data alive without
* any activity.
*/
age: '2h',
/**
* Configuration for session cookie and the
* cookie store
*/
cookie: {
path: '/',
httpOnly: true,
secure: app.inProduction,
sameSite: 'lax',
},
/**
* The store to use. Make sure to validate the environment
* variable in order to infer the store name without any
* errors.
*/
store: env.get('SESSION_DRIVER'),
/**
* List of configured stores. Refer documentation to see
* list of available stores and their config.
*/
stores: {
cookie: stores.cookie(),
},
})
export default sessionConfig
Reference in New Issue View Git Blame Copy Permalink