tethys.backend/config/shield.ts

import { defineConfig } from '@adonisjs/shield';

export default defineConfig({
    csp: {
        /*
  |--------------------------------------------------------------------------
  | Enable/disable CSP
  |--------------------------------------------------------------------------
  |
  | The CSP rules are disabled by default for seamless onboarding.
  |
  */
        enabled: false,

        /*
  |--------------------------------------------------------------------------
  | Directives
  |--------------------------------------------------------------------------
  |
  | All directives are defined in camelCase and here is the list of
  | available directives and their possible values.
  |
  | https://content-security-policy.com
  |
  | @example
  | directives: {
  |   defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com']
  | }
  |
  */
        directives: {},

        /*
  |--------------------------------------------------------------------------
  | Report only
  |--------------------------------------------------------------------------
  |
  | Setting `reportOnly=true` will not block the scripts from running and
  | instead report them to a URL.
  |
  */
        reportOnly: false,
    },
    csrf: {
        /*
  |--------------------------------------------------------------------------
  | Enable/Disable CSRF
  |--------------------------------------------------------------------------
  */
        enabled: true,

        /*
  |--------------------------------------------------------------------------
  | Routes to Ignore
  |--------------------------------------------------------------------------
  |
  | Define an array of route patterns that you want to ignore from CSRF
  | validation. Make sure the route patterns are started with a leading
  | slash. Example:
  |
  | `/foo/bar`
    |
    | Also you can define a function that is evaluated on every HTTP Request.
    | ```
    |  exceptRoutes: ({ request }) => request.url().includes('/api')
    | ```
  |
  */
        exceptRoutes: [],

        /*
  |--------------------------------------------------------------------------
  | Enable Sharing Token Via Cookie
  |--------------------------------------------------------------------------
  |
  | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN`
  | cookie that frontend frameworks can read and return back as a
  | `X-XSRF-TOKEN` header.
  |
  | The cookie has `httpOnly` flag set to false, so it is little insecure and
  | can be turned off when you are not using a frontend framework making
  | AJAX requests.
  |
  */
        enableXsrfCookie: true,

        /*
  |--------------------------------------------------------------------------
  | Methods to Validate
  |--------------------------------------------------------------------------
  |
  | Define an array of HTTP methods to be validated for a valid CSRF token.
  |
  */
        methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
    },
    hsts: {
        enabled: true,
        /*
  |--------------------------------------------------------------------------
  | Max Age
  |--------------------------------------------------------------------------
  |
  | Control, how long the browser should remember that a site is only to be
  | accessed using HTTPS.
  |
  */
        maxAge: '180 days',

        /*
  |--------------------------------------------------------------------------
  | Include Subdomains
  |--------------------------------------------------------------------------
  |
  | Apply rules on the subdomains as well.
  |
  */
        includeSubDomains: true,

        /*
  |--------------------------------------------------------------------------
  | Preloading
  |--------------------------------------------------------------------------
  |
  | Google maintains a service to register your domain and it will preload
  | the HSTS policy. Learn more https://hstspreload.org/
  |
  */
        preload: false,
    },
    contentTypeSniffing: {
        enabled: true,
    },
});
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`import { defineConfig } from '@adonisjs/shield';`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`export default defineConfig({`
			`csp: {`
			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Enable/disable CSP`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| The CSP rules are disabled by default for seamless onboarding.`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`enabled: false,`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Directives`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| All directives are defined in camelCase and here is the list of`
			`\| available directives and their possible values.`
			`\|`
			`\| https://content-security-policy.com`
			`\|`
			`\| @example`
			`\| directives: {`
			`\| defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com']`
			`\| }`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`directives: {},`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Report only`
			`\|--------------------------------------------------------------------------`
			`\|`
			\| Setting `reportOnly=true` will not block the scripts from running and
			`\| instead report them to a URL.`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`reportOnly: false,`
			`},`
			`csrf: {`
			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Enable/Disable CSRF`
			`\|--------------------------------------------------------------------------`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`enabled: true,`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Routes to Ignore`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| Define an array of route patterns that you want to ignore from CSRF`
			`\| validation. Make sure the route patterns are started with a leading`
			`\| slash. Example:`
			`\|`
			\| `/foo/bar`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`\|`
			`\| Also you can define a function that is evaluated on every HTTP Request.`
			\| ```
			`\| exceptRoutes: ({ request }) => request.url().includes('/api')`
			\| ```
initial commit 2023-03-03 15:54:28 +00:00			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`exceptRoutes: [],`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Enable Sharing Token Via Cookie`
			`\|--------------------------------------------------------------------------`
			`\|`
			\| When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN`
			`\| cookie that frontend frameworks can read and return back as a`
			\| `X-XSRF-TOKEN` header.
			`\|`
			\| The cookie has `httpOnly` flag set to false, so it is little insecure and
			`\| can be turned off when you are not using a frontend framework making`
			`\| AJAX requests.`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`enableXsrfCookie: true,`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Methods to Validate`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| Define an array of HTTP methods to be validated for a valid CSRF token.`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`methods: ['POST', 'PUT', 'PATCH', 'DELETE'],`
			`},`
			`hsts: {`
			`enabled: true,`
			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Max Age`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| Control, how long the browser should remember that a site is only to be`
			`\| accessed using HTTPS.`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`maxAge: '180 days',`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Include Subdomains`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| Apply rules on the subdomains as well.`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`includeSubDomains: true,`
initial commit 2023-03-03 15:54:28 +00:00
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`/*`
initial commit 2023-03-03 15:54:28 +00:00			`\|--------------------------------------------------------------------------`
			`\| Preloading`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| Google maintains a service to register your domain and it will preload`
			`\| the HSTS policy. Learn more https://hstspreload.org/`
			`\|`
			`*/`
- update to AdonisJS 6 2024-03-14 19:25:27 +00:00			`preload: false,`
			`},`
			`contentTypeSniffing: {`
			`enabled: true,`
			`},`
			`});`