mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-29 21:19:25 +02:00
3ddbe731a5
- CORS: restrict origin from wildcard '*' to app URL from env (prevents cross-origin requests from arbitrary sites) - Sessions: enable @adonisjs/session with cookie store and httpOnly/secure cookie flags; uncomment session middleware in kernel.ts - CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN cookie mechanism compatible with Inertia.js/Axios; exempts /api/health and SSE transmit endpoints - CSP: enable Content Security Policy with restrictive directives (no object-src, no frame-src, self-only script/style/connect/font) - HSTS: enable HTTP Strict Transport Security in production only - Path traversal: tighten filenameParamValidator to block /, \, .., and shell special characters; reduce max length from 4096 to 255 - env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6
65 lines
1.5 KiB
TypeScript
65 lines
1.5 KiB
TypeScript
import app from '@adonisjs/core/services/app'
|
|
import { defineConfig } from '@adonisjs/shield'
|
|
|
|
const shieldConfig = defineConfig({
|
|
/**
|
|
* Configure CSP policies for your app. Refer documentation
|
|
* to learn more
|
|
*/
|
|
csp: {
|
|
enabled: true,
|
|
directives: {
|
|
defaultSrc: ["'self'"],
|
|
scriptSrc: ["'self'", "'unsafe-inline'"], // unsafe-inline required for Inertia.js page props
|
|
styleSrc: ["'self'", "'unsafe-inline'"],
|
|
imgSrc: ["'self'", 'data:', 'blob:'],
|
|
connectSrc: ["'self'"],
|
|
fontSrc: ["'self'"],
|
|
objectSrc: ["'none'"],
|
|
frameSrc: ["'none'"],
|
|
baseUri: ["'self'"],
|
|
formAction: ["'self'"],
|
|
},
|
|
reportOnly: false,
|
|
},
|
|
|
|
/**
|
|
* Configure CSRF protection options. Refer documentation
|
|
* to learn more
|
|
*/
|
|
csrf: {
|
|
enabled: true,
|
|
// Exempt health check and SSE/transmit endpoints from CSRF
|
|
exceptRoutes: ['/api/health', '/__transmit/events', '/__transmit/unsubscribe'],
|
|
enableXsrfCookie: true,
|
|
methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
|
|
},
|
|
|
|
/**
|
|
* Control how your website should be embedded inside
|
|
* iFrames
|
|
*/
|
|
xFrame: {
|
|
enabled: true,
|
|
action: 'DENY',
|
|
},
|
|
|
|
/**
|
|
* Force browser to always use HTTPS
|
|
*/
|
|
hsts: {
|
|
enabled: app.inProduction,
|
|
maxAge: '180 days',
|
|
},
|
|
|
|
/**
|
|
* Disable browsers from sniffing the content type of a
|
|
* response and always rely on the "content-type" header.
|
|
*/
|
|
contentTypeSniffing: {
|
|
enabled: true,
|
|
},
|
|
})
|
|
|
|
export default shieldConfig
|