You are viewing the legacy version of AdonisJS. Visit for newer docs. This version will receive security patches until the end of 2021.


Being a Web framework, AdonisJs provides a handful of tools to keep your websites secure from common web attacks. In this guide, we learn about the best practices to keep your AdonisJs applications secure.

If you find any security bug, make sure to share it via email. Please do not create a GitHub issue, since it may impact the applications running in production. We disclose the issue after pushing the patch for the bug.

Session Security

Sessions can leak important information if not handled with care. AdonisJs encrypts and signs all the cookies using the appKey defined in config/app.js file. Make sure to keep it secret, never share it with anyone and never push it to version control systems like Github.

Session Config

Session configuration is saved inside config/session.js file. You can tweak it as per your own needs, but do consider the following suggestions.

  • Make sure httpOnly is set to true. Keeping it to false makes the cookie accessible using Javascript via document.cookie.

  • Also sameSite property makes sure that your session cookie is not visible/accessible from different domains.

Forms & Views

To keep the development cycle simple and productive, AdonisJs ships with some features that you may want to consider before releasing your website to the public.

Form Method Spoofing

HTML forms are capable of only making GET and POST requests, which means you cannot make use of all HTTP verbs to perform RESTful operations.

To make this easy AdonisJs let you define the HTTP method as a query string inside the URL which is known as Form method spoofing.

Route.put('/users/:id', 'UserController.update')
<form action="/users/1?_method=PUT" method="POST">

Setting _method=PUT converts the HTTP method to PUT instead of POST. It makes it so easier to make use of any HTTP verb by simply spoofing it. Here are a couple of things you should know about.

  • AdonisJs only spoof methods when actual HTTP method is POST which means making a GET request with _method is not spoofed.

  • You can turn off the form spoofing by setting allowMethodSpoofing=false inside config/app.js.

    http: {
      allowMethodSpoofing: false

File Uploads

Attackers often try to upload malicious files to the server and later execute those uploaded files to gain access to the server or perform some destructive actions.

Not only files are uploaded to acquire the server access; often you find people trying to upload huge files so that your server stays busy in uploading files and start throwing TIMEOUT errors for other requests.

To overcome this situation, AdonisJs let you define the maximum upload size to be processed by the server which means any file greater than the specified size are denied without processing and keeps your server in a healthy state.

  • Make sure to set maxSize inside config/bodyParser.js file.

    uploads: {
      maxSize: '2mb'
  • Never store uploaded files inside the public directory, since files in public directory can be accessed directly.

  • Always rename files before uploading.

  • Never share the actual location of the file with the end users. Instead, try to save the file reference inside the database with a unique id and setup a route to serve the file using the id.

    const Helpers = use('Helpers')
    Route.get('download/:fileId', async ({ params, response }) => {
      const file = await Files.findorFail(params.fileId)'uploads/${file.path}'))