> adonis install @adonisjs/shieldYou are viewing the legacy version of AdonisJS. Visit https://adonisjs.com for newer docs. This version will receive security patches until the end of 2021.
Apart from CORS and CSRF, AdonisJs also prevents your web applications from other malware attacks like XSS, Content Sniffing, Script Injection and so on.
| There is no silver bullet to secure your websites completely. AdonisJs as a framework gives you a handful of ways to prevent common web attacks. |
Install the shield provider and register the appropriate middleware:
> adonis install @adonisjs/shieldNext, register the provider inside the start/app.js file:
const providers = [
'@adonisjs/shield/providers/ShieldProvider'
]Finally, register the global middleware inside the start/kernel.js file:
const globalMiddleware = [
'Adonis/Middleware/Shield'
]| Shield middleware relies on sessions, so make sure they are set up correctly. |
Content Security Policy (CSP) helps you define the trusted sources for loading and executing scripts, styles, fonts and various other resources.
It’s good practice to be strict when allowing the execution of scripts from different sources.
For more information, read this interesting article by HTML5 rocks.
The configuration for CSP is saved inside the config/shield.js file:
csp: {
directives: {
defaultSrc: ['self', 'http://getcdn.com'],
scriptSrc: ['self', '@nonce'],
styleSrc: ['http://getbootstrap.com'],
imgSrc: ['http://dropbox.com']
},
reportOnly: false,
setAllHeaders: false,
disableAndroid: true
}| Key | Value | Description |
|---|---|---|
directives |
Object |
Directives help you define policies to be applied to different resource types. You can get the list of all directives from http://content-security-policy.com. |
reportOnly |
Boolean |
Set the value to |
setAllHeaders |
Boolean |
Shield sets different HTTP headers for different browsers. Set the value to |
disableAndroid |
Boolean |
As Android is known to be buggy with CSP, set the value to |
Almost all modern browsers support CSP.
Here is the most accurate list of supported browsers.
The shield middleware automatically sets the required HTTP headers for CSP to work, but also provides a view helper to set the meta tag if required:
{{ cspMeta() }}<meta http-equiv="Content-Security-Policy" content="xxx">Script tags with inline JavaScript code are automatically trusted and executed by the browser.
This behavior can be stopped by adding @nonce to your configuration scriptSrc array:
csp: {
directives: {
scriptSrc: ['self', '@nonce']
},
// ...
}To tell the browser which inline script blocks should still execute, append a nonce attribute using the cspNonce view global in your templates like so:
<script nonce="{{ cspNonce }}">
// ...
</script>Malware protection helps in protecting your website from XSS attacks, unwanted iframe embeds, content-type sniffing and stopping IE from executing unsolicited scripts in the context of your web page.
Edit the xss configuration object to enable/disable XSS protection (sets the header X-XSS-Protection=1; mode=block):
xss: {
enabled: true,
enableOnOldIE: false
}The majority of modern browsers attempts to detect the Content-Type of a request by sniffing its content, meaning a file ending in .txt could be executed as JavaScript if it contains JavaScript code.
To disable this behavior set nosniff to false:
{
nosniff: true
}IE users can execute webpages in the context of your website, which is a serious security risk.
To stop IE from executing unknown scripts in the context of your website, ensure noopen is set to true (sets the header X-Download-Options: noopen):
{
noopen: true
}The xframe option within the config/shield.js file makes it easy for you to control the embed behavior of your website inside an iframe.
Available options are DENY, SAMEORIGIN or ALLOW-FROM http://example.com:
{
xframe: 'DENY'
}