seepur/config/shield.js

141 lines
4.6 KiB
JavaScript
Raw Normal View History

2020-01-14 01:57:43 +00:00
'use strict'
module.exports = {
/*
|--------------------------------------------------------------------------
| Content Security Policy
|--------------------------------------------------------------------------
|
| Content security policy filters out the origins not allowed to execute
| and load resources like scripts, styles and fonts. There are wide
| variety of options to choose from.
*/
csp: {
/*
|--------------------------------------------------------------------------
| Directives
|--------------------------------------------------------------------------
|
| All directives are defined in camelCase and here is the list of
| available directives and their possible values.
|
| https://content-security-policy.com
|
| @example
| directives: {
| defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
| }
|
*/
2020-03-17 22:16:34 +00:00
directives: {},
2020-01-14 01:57:43 +00:00
/*
|--------------------------------------------------------------------------
| Report only
|--------------------------------------------------------------------------
|
| Setting `reportOnly=true` will not block the scripts from running and
| instead report them to a URL.
|
*/
reportOnly: false,
/*
|--------------------------------------------------------------------------
| Set all headers
|--------------------------------------------------------------------------
|
| Headers staring with `X` have been depreciated, since all major browsers
| supports the standard CSP header. So its better to disable deperciated
| headers, unless you want them to be set.
|
*/
setAllHeaders: false,
/*
|--------------------------------------------------------------------------
| Disable on android
|--------------------------------------------------------------------------
|
| Certain versions of android are buggy with CSP policy. So you can set
| this value to true, to disable it for Android versions with buggy
| behavior.
|
| Here is an issue reported on a different package, but helpful to read
2020-03-17 22:16:34 +00:00
| if you want to know the behavior.
https://github.com/helmetjs/helmet/pull/82
2020-01-14 01:57:43 +00:00
|
*/
disableAndroid: true
},
/*
|--------------------------------------------------------------------------
| X-XSS-Protection
|--------------------------------------------------------------------------
|
| X-XSS Protection saves applications from XSS attacks. It is adopted
| by IE and later followed by some other browsers.
|
2020-03-17 22:16:34 +00:00
| Learn more at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
2020-01-14 01:57:43 +00:00
|
*/
2020-03-17 22:16:34 +00:00
xss: {enabled: true, enableOnOldIE: false},
2020-01-14 01:57:43 +00:00
/*
|--------------------------------------------------------------------------
| Iframe Options
|--------------------------------------------------------------------------
|
| xframe defines whether or not your website can be embedded inside an
| iframe. Choose from one of the following options.
| @available options
| DENY, SAMEORIGIN, ALLOW-FROM http://example.com
|
2020-03-17 22:16:34 +00:00
| Learn more at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
2020-01-14 01:57:43 +00:00
*/
xframe: 'DENY',
/*
|--------------------------------------------------------------------------
| No Sniff
|--------------------------------------------------------------------------
|
| Browsers have a habit of sniffing content-type of a response. Which means
| files with .txt extension containing Javascript code will be executed as
| Javascript. You can disable this behavior by setting nosniff to false.
|
2020-03-17 22:16:34 +00:00
| Learn more at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
2020-01-14 01:57:43 +00:00
|
*/
nosniff: true,
/*
|--------------------------------------------------------------------------
| No Open
|--------------------------------------------------------------------------
|
| IE users can execute webpages in the context of your website, which is
| a serious security risk. Below option will manage this for you.
|
*/
noopen: true,
/*
|--------------------------------------------------------------------------
| CSRF Protection
|--------------------------------------------------------------------------
|
| CSRF Protection adds another layer of security by making sure, actionable
| routes does have a valid token to execute an action.
|
*/
csrf: {
enable: true,
methods: ['POST', 'PUT', 'DELETE'],
2020-03-17 22:16:34 +00:00
filterUris: [/api\/v1\/client\/\w+/], // All Client API routes
cookieOptions: {httpOnly: false, sameSite: true, path: '/', maxAge: 7200}
2020-01-14 01:57:43 +00:00
}
}