mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-28 19:49:25 +01:00
9de5b5aabb
- Enable CSRF protection with XSRF cookie for Inertia.js/React SPA - Enable HSTS with 180-day max-age and includeSubDomains - Enable CSP with nonce-based script policy, unsafe-inline for Tailwind styles, and restrictive defaults for frames/objects - Allow map tile sources in img-src for offline map support https://claude.ai/code/session_01JFvpTYgm8GiE4vJ4cJKsFx
64 lines
1.3 KiB
TypeScript
64 lines
1.3 KiB
TypeScript
import { defineConfig } from '@adonisjs/shield'
|
|
|
|
const shieldConfig = defineConfig({
|
|
/**
|
|
* Configure CSP policies for your app. Refer documentation
|
|
* to learn more
|
|
*/
|
|
csp: {
|
|
enabled: true,
|
|
directives: {
|
|
defaultSrc: ["'self'"],
|
|
scriptSrc: ["'self'", '@nonce'],
|
|
styleSrc: ["'self'", "'unsafe-inline'"],
|
|
imgSrc: ["'self'", 'data:', 'blob:', 'https://*.tile.openstreetmap.org'],
|
|
fontSrc: ["'self'"],
|
|
connectSrc: ["'self'"],
|
|
frameSrc: ["'none'"],
|
|
objectSrc: ["'none'"],
|
|
baseUri: ["'self'"],
|
|
formAction: ["'self'"],
|
|
},
|
|
reportOnly: false,
|
|
},
|
|
|
|
/**
|
|
* Configure CSRF protection options. Refer documentation
|
|
* to learn more
|
|
*/
|
|
csrf: {
|
|
enabled: true,
|
|
exceptRoutes: [],
|
|
enableXsrfCookie: true,
|
|
methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
|
|
},
|
|
|
|
/**
|
|
* Control how your website should be embedded inside
|
|
* iFrames
|
|
*/
|
|
xFrame: {
|
|
enabled: true,
|
|
action: 'DENY',
|
|
},
|
|
|
|
/**
|
|
* Force browser to always use HTTPS
|
|
*/
|
|
hsts: {
|
|
enabled: true,
|
|
maxAge: '180 days',
|
|
includeSubDomains: true,
|
|
},
|
|
|
|
/**
|
|
* Disable browsers from sniffing the content type of a
|
|
* response and always rely on the "content-type" header.
|
|
*/
|
|
contentTypeSniffing: {
|
|
enabled: true,
|
|
},
|
|
})
|
|
|
|
export default shieldConfig
|