Add shield

.adonisrc.json

@@ -30,7 +30,8 @@
     "@adonisjs/mail",
     "@adonisjs/view",
     "@adonisjs/bouncer",
-    "@adonisjs/ally"
+    "@adonisjs/ally",
+    "@adonisjs/shield"
   ],
   "aceProviders": [
     "@adonisjs/repl"

config/shield.ts

@@ -0,0 +1,238 @@
+/**
+ * Config source: https://git.io/Jvwvt
+ *
+ * Feel free to let us know via PR, if you find something broken in this config
+ * file.
+ */
+
+import Env from '@ioc:Adonis/Core/Env'
+import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'
+
+/*
+|--------------------------------------------------------------------------
+| Content Security Policy
+|--------------------------------------------------------------------------
+|
+| Content security policy filters out the origins not allowed to execute
+| and load resources like scripts, styles and fonts. There are wide
+| variety of options to choose from.
+*/
+export const csp: ShieldConfig['csp'] = {
+  /*
+  |--------------------------------------------------------------------------
+  | Enable/disable CSP
+  |--------------------------------------------------------------------------
+  |
+  | The CSP rules are disabled by default for seamless onboarding.
+  |
+  */
+  enabled: false,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Directives
+  |--------------------------------------------------------------------------
+  |
+  | All directives are defined in camelCase and here is the list of
+  | available directives and their possible values.
+  |
+  | https://content-security-policy.com
+  |
+  | @example
+  | directives: {
+  |   defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com']
+  | }
+  |
+  */
+  directives: {
+  },
+
+  /*
+  |--------------------------------------------------------------------------
+  | Report only
+  |--------------------------------------------------------------------------
+  |
+  | Setting `reportOnly=true` will not block the scripts from running and
+  | instead report them to a URL.
+  |
+  */
+  reportOnly: false,
+}
+
+/*
+|--------------------------------------------------------------------------
+| CSRF Protection
+|--------------------------------------------------------------------------
+|
+| CSRF Protection adds another layer of security by making sure, actionable
+| routes does have a valid token to execute an action.
+|
+*/
+export const csrf: ShieldConfig['csrf'] = {
+  /*
+  |--------------------------------------------------------------------------
+  | Enable/Disable CSRF
+  |--------------------------------------------------------------------------
+  */
+  enabled: Env.get('NODE_ENV') !== 'testing',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Routes to Ignore
+  |--------------------------------------------------------------------------
+  |
+  | Define an array of route patterns that you want to ignore from CSRF
+  | validation. Make sure the route patterns are started with a leading
+  | slash. Example:
+  |
+  | `/foo/bar`
+	|
+	| Also you can define a function that is evaluated on every HTTP Request.
+	| ```
+	|  exceptRoutes: ({ request }) => request.url().includes('/api')
+	| ```
+  |
+  */
+  exceptRoutes: [],
+
+  /*
+  |--------------------------------------------------------------------------
+  | Enable Sharing Token Via Cookie
+  |--------------------------------------------------------------------------
+  |
+  | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN`
+  | cookie that frontend frameworks can read and return back as a
+  | `X-XSRF-TOKEN` header.
+  |
+  | The cookie has `httpOnly` flag set to false, so it is little insecure and
+  | can be turned off when you are not using a frontend framework making
+  | AJAX requests.
+  |
+  */
+  enableXsrfCookie: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Methods to Validate
+  |--------------------------------------------------------------------------
+  |
+  | Define an array of HTTP methods to be validated for a valid CSRF token.
+  |
+  */
+  methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
+}
+
+/*
+|--------------------------------------------------------------------------
+| DNS Prefetching
+|--------------------------------------------------------------------------
+|
+| DNS prefetching allows browsers to proactively perform domain name
+| resolution in background.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
+|
+*/
+export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = {
+  /*
+  |--------------------------------------------------------------------------
+  | Enable/disable this feature
+  |--------------------------------------------------------------------------
+  */
+  enabled: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Allow or Dis-Allow Explicitly
+  |--------------------------------------------------------------------------
+  |
+  | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However
+  | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header.
+  |
+  | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'`
+  | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'`
+  |
+  */
+  allow: true,
+}
+
+/*
+|--------------------------------------------------------------------------
+| Iframe Options
+|--------------------------------------------------------------------------
+|
+| xFrame defines whether or not your website can be embedded inside an
+| iframe. Choose from one of the following options.
+|
+| - DENY
+| - SAMEORIGIN
+| - ALLOW-FROM http://example.com
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+*/
+export const xFrame: ShieldConfig['xFrame'] = {
+  enabled: true,
+  action: 'DENY',
+}
+
+/*
+|--------------------------------------------------------------------------
+| Http Strict Transport Security
+|--------------------------------------------------------------------------
+|
+| A security to ensure that a browser always makes a connection over
+| HTTPS.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+|
+*/
+export const hsts: ShieldConfig['hsts'] = {
+  enabled: true,
+  /*
+  |--------------------------------------------------------------------------
+  | Max Age
+  |--------------------------------------------------------------------------
+  |
+  | Control, how long the browser should remember that a site is only to be
+  | accessed using HTTPS.
+  |
+  */
+  maxAge: '180 days',
+
+  /*
+  |--------------------------------------------------------------------------
+  | Include Subdomains
+  |--------------------------------------------------------------------------
+  |
+  | Apply rules on the subdomains as well.
+  |
+  */
+  includeSubDomains: true,
+
+  /*
+  |--------------------------------------------------------------------------
+  | Preloading
+  |--------------------------------------------------------------------------
+  |
+  | Google maintains a service to register your domain and it will preload
+  | the HSTS policy. Learn more https://hstspreload.org/
+  |
+  */
+  preload: false,
+}
+
+/*
+|--------------------------------------------------------------------------
+| No Sniff
+|--------------------------------------------------------------------------
+|
+| Browsers have a habit of sniffing content-type of a response. Which means
+| files with .txt extension containing Javascript code will be executed as
+| Javascript. You can disable this behavior by setting nosniff to false.
+|
+| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+|
+*/
+export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = {
+  enabled: true,
+}

package.json

@@ -28,6 +28,7 @@
     "@adonisjs/redis": "^7.0.6",
     "@adonisjs/repl": "^3.1.4",
     "@adonisjs/session": "^6.1.1",
+    "@adonisjs/shield": "^7.0.5",
     "@adonisjs/view": "^6.0.3",
     "axios": "^0.21.1",
     "luxon": "^1.27.0",

start/kernel.ts

@@ -22,6 +22,7 @@ import Server from "@ioc:Adonis/Core/Server";
 
 Server.middleware.register([
   () => import('@ioc:Adonis/Core/BodyParser'),
+  () => import('@ioc:Adonis/Addons/Shield'),
   () => import('App/Middleware/SilentAuth'),
 ])
 

tsconfig.json

@@ -35,7 +35,8 @@
       "@adonisjs/mail",
       "@adonisjs/view",
       "@adonisjs/ally",
-      "@adonisjs/bouncer"
+      "@adonisjs/bouncer",
+      "@adonisjs/shield"
     ]
   }
 }

yarn.lock

@@ -281,6 +281,15 @@
     "@poppinss/utils" "^3.1.5"
     fs-extra "^10.0.0"
 
+"@adonisjs/shield@^7.0.5":
+  version "7.0.5"
+  resolved "https://registry.yarnpkg.com/@adonisjs/shield/-/shield-7.0.5.tgz#7103c1fa8fa0b42883988a12a5caac8371fc548d"
+  integrity sha512-Gst4PXDMOKBq5VLNrt4p3QK3fHDR4U3CdIJIWyrV+HZtbVXQM+SI8+aIK7WXUpNuaI5y10ux1qzJ2qHHjWLwTQ==
+  dependencies:
+    "@poppinss/utils" "^3.1.5"
+    csrf "^3.1.0"
+    helmet-csp "^3.4.0"
+
 "@adonisjs/sink@^5.1.5":
   version "5.1.5"
   resolved "https://registry.yarnpkg.com/@adonisjs/sink/-/sink-5.1.5.tgz#8a238052d66f06dd9894516eb7270797c6489b2b"
@@ -1396,6 +1405,15 @@ cross-spawn@^7.0.3:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
+csrf@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/csrf/-/csrf-3.1.0.tgz#ec75e9656d004d674b8ef5ba47b41fbfd6cb9c30"
+  integrity sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==
+  dependencies:
+    rndm "1.2.0"
+    tsscmp "1.0.6"
+    uid-safe "2.1.5"
+
 css-select@^4.1.3:
   version "4.1.3"
   resolved "https://registry.yarnpkg.com/css-select/-/css-select-4.1.3.tgz#a70440f70317f2669118ad74ff105e65849c7067"
@@ -2175,6 +2193,11 @@ header-case@^2.0.4:
     capital-case "^1.0.4"
     tslib "^2.0.3"
 
+helmet-csp@^3.4.0:
+  version "3.4.0"
+  resolved "https://registry.yarnpkg.com/helmet-csp/-/helmet-csp-3.4.0.tgz#7fdd0b0274cd90a64664e2ed8e48f9a430037233"
+  integrity sha512-a+YgzWw6dajqhQfb6ktxil0FsQuWTKzrLSUfy55dxS8fuvl1jidTIMPZ2udN15mjjcpBPgTHNHGF5tyWKYyR8w==
+
 html-minifier@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/html-minifier/-/html-minifier-4.0.0.tgz#cca9aad8bce1175e02e17a8c33e46d8988889f56"
@@ -4082,6 +4105,11 @@ rimraf@^3.0.2:
   dependencies:
     glob "^7.1.3"
 
+rndm@1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/rndm/-/rndm-1.2.0.tgz#f33fe9cfb52bbfd520aa18323bc65db110a1b76c"
+  integrity sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w=
+
 safe-buffer@5.1.2, safe-buffer@~5.1.0, safe-buffer@~5.1.1:
   version "5.1.2"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d"
@@ -4612,6 +4640,11 @@ tslib@^2.0.3, tslib@^2.2.0, tslib@^2.3.0:
   resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.3.1.tgz#e8a335add5ceae51aa261d32a490158ef042ef01"
   integrity sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==
 
+tsscmp@1.0.6:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/tsscmp/-/tsscmp-1.0.6.tgz#85b99583ac3589ec4bfef825b5000aa911d605eb"
+  integrity sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==
+
 tsse@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/tsse/-/tsse-2.0.0.tgz#757a1357473fecaffb5c70024acd179514779f64"