You are viewing the legacy version of AdonisJS. Visit for newer docs. This version will receive security patches until the end of 2021.

Shield middleware

Apart from Cors and CSRF, AdonisJs also prevents your web applications from other malware attacks like XSS, Content Sniffing, Script Injection and so on.

There is no silver bullet to secure your websites completely. AdonisJs as a framework gives you a handful of ways to prevent common web attacks.


Make sure to install the shield provider and register the appropriate middleware.

adonis install @adonisjs/shield

Next, register the provider inside start/app.js file.

const providers = [

And, finally register the global middleware inside start/kernel.js file.

Shield middleware relies on sessions, so make sure they are setup correctly.
const globalMiddleware = [

Content Security Policy

Content Security Policy(CSP) helps you in defining the trusted sources for loading and executing scripts, styles, fonts and various other resources.

It is a good practice to be strict when allowing the execution of scripts from different sources. You must read this interesting article by HTML5 rocks.


csp block inside the shield configuration file defines the rule for content security policy.

csp: {
  directives: {
    defaultSrc: ['self', ''],
    scriptSrc: ['self', '@nonce'],
    styleSrc: [''],
    imgSrc: ['']
  reportOnly: false,
  setAllHeaders: false,
  disableAndroid: true
Key Value Description



Directives helps you in defining policies to be applied on different resource types. You can get the list of all directives from



Do not stop the execution of the page, instead, log a warning that some rules are violated.



Shield sets different HTTP headers for different browsers. Set the value to true to set all fallback headers, regardless of the browser.



Android is buggy with CSP you can disable it for Android in case you face any troubles.

Browser support

Almost all modern browsers widely support CSP, but here is the most accurate list of supported browsers.

CSP policy via meta tags

The shield middleware automatically sets the required HTTP headers for CSP to work but also gives you a view helper to set the meta tag.

{{ cspMeta() }}
<meta http-equiv="Content-Security-Policy" content="xxx">

CSP Nonce

Script tags with inline javascript code are automatically trusted and executed by the browser. To stop this behavior, you must only allow the trusted inline script blocks by adding @nonce to the`scriptSrc` array.

csp: {
  directives: {
    scriptSrc: ['self', '@nonce']
  // ...

Now you have to tell the browser that your selected inline script blocks should be executed, and that selection is made with the help of a view global.

<script nonce="{{ cspNonce }}">
  // ...

Malware Protection

Malware protection helps in protecting your website from XSS attacks, unwanted iframe embeds, content-type sniffing and stopping IE from executing unsolicited scripts in the context of your web page.


Make use of the below defined configuration to enable/disable XSS protection. It is done by setting X-XSS-Protection=1; mode=block

xss: {
  enabled: true,
  enableOnOldIE: false

No Sniff

The majority of modern browsers attempts to detect the Content-Type of a request by sniffing its content. Which means a file ending in .txt can be executed as a javascript file if it contains javascript code. To disable this behavior set nosniff=false.

  nosniff: true

No Open

Stop IE from executing unknown script in the context of your website by setting the value of X-Download-Options to noopen.

  noopen: true


The xframe option within the config/shield.js file makes it easier for you to control the embed behavior of your website inside an iframe.

You can choose from DENY, ALLOW or ALLOW-FROM

  xframe: 'DENY'