UNPKG

@adonisjs/shield

Version:

A middleware for AdonisJS to keep web applications secure from common web attacks

github.com/adonisjs/shield

adonisjs/shield

99 lines (98 loc) 2.32 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
import type { HttpContext } from '@adonisjs/core/http'; import type { CookieOptions } from '@adonisjs/core/types/http'; import type { ContentSecurityPolicyOptions } from 'helmet-csp'; export type ValueOf<T> = T[keyof T]; /** * Config for `X-Frame-Options` header */ export type XFrameOptions = { /** * Enable/disable the guard */ enabled: boolean; action?: 'DENY' | 'SAMEORIGIN'; } | { /** * Enable/disable the guard */ enabled: boolean; action?: 'ALLOW-FROM'; /** * Define the domain when the action equals "ALLOW-FROM" */ domain: string; }; /** * Config for X-Content-Type-Options */ export type ContentTypeSniffingOptions = { /** * Enable/disable the guard */ enabled: boolean; }; /** * Config for HTTP Strict Transport Security (HSTS) */ export type HstsOptions = { /** * Enable/disable the guard */ enabled: boolean; /** * Max-age in seconds or a time based string * expression */ maxAge?: string | number; /** * Apply the HSTS directive on subdomains as well */ includeSubDomains?: boolean; /** * Enable preloading of HSTS. This is a non-standard feature * and you must read the MDN specification to learn more * about it. * https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security */ preload?: boolean; }; /** * Config for working with CSP */ export type CspOptions = { enabled: boolean; } & ContentSecurityPolicyOptions; /** * Config for working with CSRF options */ export type CsrfOptions = { /** * Enable/disable the guard */ enabled: boolean; /** * Ignore CSRF validation for the mentioned routes */ exceptRoutes?: string[] | ((ctx: HttpContext) => boolean); /** * Share CSRF token as a cookie */ enableXsrfCookie?: boolean; /** * HTTP methods to validate for CSRF tokens. * * Default: PUT, PATCH, POST, DELETE */ methods?: ReadonlyArray<string>; cookieOptions?: Partial<CookieOptions>; }; /** * Shield config file types */ export type ShieldConfig = { xFrame: XFrameOptions; contentTypeSniffing: ContentTypeSniffingOptions; hsts: HstsOptions; csp: CspOptions; csrf: CsrfOptions; };