diff --git a/.adonisrc.json b/.adonisrc.json index 18d531a..f7394a4 100755 --- a/.adonisrc.json +++ b/.adonisrc.json @@ -30,7 +30,8 @@ "@adonisjs/mail", "@adonisjs/view", "@adonisjs/bouncer", - "@adonisjs/ally" + "@adonisjs/ally", + "@adonisjs/shield" ], "aceProviders": [ "@adonisjs/repl" diff --git a/config/shield.ts b/config/shield.ts new file mode 100644 index 0000000..4074832 --- /dev/null +++ b/config/shield.ts @@ -0,0 +1,238 @@ +/** + * Config source: https://git.io/Jvwvt + * + * Feel free to let us know via PR, if you find something broken in this config + * file. + */ + +import Env from '@ioc:Adonis/Core/Env' +import { ShieldConfig } from '@ioc:Adonis/Addons/Shield' + +/* +|-------------------------------------------------------------------------- +| Content Security Policy +|-------------------------------------------------------------------------- +| +| Content security policy filters out the origins not allowed to execute +| and load resources like scripts, styles and fonts. There are wide +| variety of options to choose from. +*/ +export const csp: ShieldConfig['csp'] = { + /* + |-------------------------------------------------------------------------- + | Enable/disable CSP + |-------------------------------------------------------------------------- + | + | The CSP rules are disabled by default for seamless onboarding. + | + */ + enabled: false, + + /* + |-------------------------------------------------------------------------- + | Directives + |-------------------------------------------------------------------------- + | + | All directives are defined in camelCase and here is the list of + | available directives and their possible values. + | + | https://content-security-policy.com + | + | @example + | directives: { + | defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] + | } + | + */ + directives: { + }, + + /* + |-------------------------------------------------------------------------- + | Report only + |-------------------------------------------------------------------------- + | + | Setting `reportOnly=true` will not block the scripts from running and + | instead report them to a URL. + | + */ + reportOnly: false, +} + +/* +|-------------------------------------------------------------------------- +| CSRF Protection +|-------------------------------------------------------------------------- +| +| CSRF Protection adds another layer of security by making sure, actionable +| routes does have a valid token to execute an action. +| +*/ +export const csrf: ShieldConfig['csrf'] = { + /* + |-------------------------------------------------------------------------- + | Enable/Disable CSRF + |-------------------------------------------------------------------------- + */ + enabled: Env.get('NODE_ENV') !== 'testing', + + /* + |-------------------------------------------------------------------------- + | Routes to Ignore + |-------------------------------------------------------------------------- + | + | Define an array of route patterns that you want to ignore from CSRF + | validation. Make sure the route patterns are started with a leading + | slash. Example: + | + | `/foo/bar` + | + | Also you can define a function that is evaluated on every HTTP Request. + | ``` + | exceptRoutes: ({ request }) => request.url().includes('/api') + | ``` + | + */ + exceptRoutes: [], + + /* + |-------------------------------------------------------------------------- + | Enable Sharing Token Via Cookie + |-------------------------------------------------------------------------- + | + | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` + | cookie that frontend frameworks can read and return back as a + | `X-XSRF-TOKEN` header. + | + | The cookie has `httpOnly` flag set to false, so it is little insecure and + | can be turned off when you are not using a frontend framework making + | AJAX requests. + | + */ + enableXsrfCookie: true, + + /* + |-------------------------------------------------------------------------- + | Methods to Validate + |-------------------------------------------------------------------------- + | + | Define an array of HTTP methods to be validated for a valid CSRF token. + | + */ + methods: ['POST', 'PUT', 'PATCH', 'DELETE'], +} + +/* +|-------------------------------------------------------------------------- +| DNS Prefetching +|-------------------------------------------------------------------------- +| +| DNS prefetching allows browsers to proactively perform domain name +| resolution in background. +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control +| +*/ +export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { + /* + |-------------------------------------------------------------------------- + | Enable/disable this feature + |-------------------------------------------------------------------------- + */ + enabled: true, + + /* + |-------------------------------------------------------------------------- + | Allow or Dis-Allow Explicitly + |-------------------------------------------------------------------------- + | + | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However + | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. + | + | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` + | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` + | + */ + allow: true, +} + +/* +|-------------------------------------------------------------------------- +| Iframe Options +|-------------------------------------------------------------------------- +| +| xFrame defines whether or not your website can be embedded inside an +| iframe. Choose from one of the following options. +| +| - DENY +| - SAMEORIGIN +| - ALLOW-FROM http://example.com +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +*/ +export const xFrame: ShieldConfig['xFrame'] = { + enabled: true, + action: 'DENY', +} + +/* +|-------------------------------------------------------------------------- +| Http Strict Transport Security +|-------------------------------------------------------------------------- +| +| A security to ensure that a browser always makes a connection over +| HTTPS. +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +| +*/ +export const hsts: ShieldConfig['hsts'] = { + enabled: true, + /* + |-------------------------------------------------------------------------- + | Max Age + |-------------------------------------------------------------------------- + | + | Control, how long the browser should remember that a site is only to be + | accessed using HTTPS. + | + */ + maxAge: '180 days', + + /* + |-------------------------------------------------------------------------- + | Include Subdomains + |-------------------------------------------------------------------------- + | + | Apply rules on the subdomains as well. + | + */ + includeSubDomains: true, + + /* + |-------------------------------------------------------------------------- + | Preloading + |-------------------------------------------------------------------------- + | + | Google maintains a service to register your domain and it will preload + | the HSTS policy. Learn more https://hstspreload.org/ + | + */ + preload: false, +} + +/* +|-------------------------------------------------------------------------- +| No Sniff +|-------------------------------------------------------------------------- +| +| Browsers have a habit of sniffing content-type of a response. Which means +| files with .txt extension containing Javascript code will be executed as +| Javascript. You can disable this behavior by setting nosniff to false. +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +| +*/ +export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { + enabled: true, +} diff --git a/package.json b/package.json index fcf78be..66a1fb6 100755 --- a/package.json +++ b/package.json @@ -28,6 +28,7 @@ "@adonisjs/redis": "^7.0.6", "@adonisjs/repl": "^3.1.4", "@adonisjs/session": "^6.1.1", + "@adonisjs/shield": "^7.0.5", "@adonisjs/view": "^6.0.3", "axios": "^0.21.1", "luxon": "^1.27.0", diff --git a/start/kernel.ts b/start/kernel.ts index 2523202..67432f3 100755 --- a/start/kernel.ts +++ b/start/kernel.ts @@ -22,6 +22,7 @@ import Server from "@ioc:Adonis/Core/Server"; Server.middleware.register([ () => import('@ioc:Adonis/Core/BodyParser'), + () => import('@ioc:Adonis/Addons/Shield'), () => import('App/Middleware/SilentAuth'), ]) diff --git a/tsconfig.json b/tsconfig.json index 1194e95..09e3384 100755 --- a/tsconfig.json +++ b/tsconfig.json @@ -35,7 +35,8 @@ "@adonisjs/mail", "@adonisjs/view", "@adonisjs/ally", - "@adonisjs/bouncer" + "@adonisjs/bouncer", + "@adonisjs/shield" ] } } diff --git a/yarn.lock b/yarn.lock index 609095f..b9e7fa3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -281,6 +281,15 @@ "@poppinss/utils" "^3.1.5" fs-extra "^10.0.0" +"@adonisjs/shield@^7.0.5": + version "7.0.5" + resolved "https://registry.yarnpkg.com/@adonisjs/shield/-/shield-7.0.5.tgz#7103c1fa8fa0b42883988a12a5caac8371fc548d" + integrity sha512-Gst4PXDMOKBq5VLNrt4p3QK3fHDR4U3CdIJIWyrV+HZtbVXQM+SI8+aIK7WXUpNuaI5y10ux1qzJ2qHHjWLwTQ== + dependencies: + "@poppinss/utils" "^3.1.5" + csrf "^3.1.0" + helmet-csp "^3.4.0" + "@adonisjs/sink@^5.1.5": version "5.1.5" resolved "https://registry.yarnpkg.com/@adonisjs/sink/-/sink-5.1.5.tgz#8a238052d66f06dd9894516eb7270797c6489b2b" @@ -1396,6 +1405,15 @@ cross-spawn@^7.0.3: shebang-command "^2.0.0" which "^2.0.1" +csrf@^3.1.0: + version "3.1.0" + resolved "https://registry.yarnpkg.com/csrf/-/csrf-3.1.0.tgz#ec75e9656d004d674b8ef5ba47b41fbfd6cb9c30" + integrity sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w== + dependencies: + rndm "1.2.0" + tsscmp "1.0.6" + uid-safe "2.1.5" + css-select@^4.1.3: version "4.1.3" resolved "https://registry.yarnpkg.com/css-select/-/css-select-4.1.3.tgz#a70440f70317f2669118ad74ff105e65849c7067" @@ -2175,6 +2193,11 @@ header-case@^2.0.4: capital-case "^1.0.4" tslib "^2.0.3" +helmet-csp@^3.4.0: + version "3.4.0" + resolved "https://registry.yarnpkg.com/helmet-csp/-/helmet-csp-3.4.0.tgz#7fdd0b0274cd90a64664e2ed8e48f9a430037233" + integrity sha512-a+YgzWw6dajqhQfb6ktxil0FsQuWTKzrLSUfy55dxS8fuvl1jidTIMPZ2udN15mjjcpBPgTHNHGF5tyWKYyR8w== + html-minifier@^4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/html-minifier/-/html-minifier-4.0.0.tgz#cca9aad8bce1175e02e17a8c33e46d8988889f56" @@ -4082,6 +4105,11 @@ rimraf@^3.0.2: dependencies: glob "^7.1.3" +rndm@1.2.0: + version "1.2.0" + resolved "https://registry.yarnpkg.com/rndm/-/rndm-1.2.0.tgz#f33fe9cfb52bbfd520aa18323bc65db110a1b76c" + integrity sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w= + safe-buffer@5.1.2, safe-buffer@~5.1.0, safe-buffer@~5.1.1: version "5.1.2" resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.1.2.tgz#991ec69d296e0313747d59bdfd2b745c35f8828d" @@ -4612,6 +4640,11 @@ tslib@^2.0.3, tslib@^2.2.0, tslib@^2.3.0: resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.3.1.tgz#e8a335add5ceae51aa261d32a490158ef042ef01" integrity sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw== +tsscmp@1.0.6: + version "1.0.6" + resolved "https://registry.yarnpkg.com/tsscmp/-/tsscmp-1.0.6.tgz#85b99583ac3589ec4bfef825b5000aa911d605eb" + integrity sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA== + tsse@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/tsse/-/tsse-2.0.0.tgz#757a1357473fecaffb5c70024acd179514779f64"