1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| 'use strict';
|
| module.exports = () => {
|
| const exports = {};
|
| /**
| * security options
| * @member Config#security
| * @property {String} defaultMiddleware - default open security middleware
| * @property {Object} csrf - whether defend csrf attack
| * @property {Object} xframe - whether enable X-Frame-Options response header, default SAMEORIGIN
| * @property {Object} hsts - whether enable Strict-Transport-Security response header, default is one year
| * @property {Object} methodnoallow - whether enable Http Method filter
| * @property {Object} noopen - whether enable IE automaticlly download open
| * @property {Object} nosniff - whether enable IE8 automaticlly dedect mime
| * @property {Object} xssProtection - whether enable IE8 XSS Filter, default is open
| * @property {Object} csp - content security policy config
| * @property {Object} referrerPolicy - referrer policy config
| * @property {Object} dta - auto avoid directory traversal attack
| * @property {Array} domainWhiteList - domain white list
| * @property {Array} protocolWhiteList - protocal white list
| */
| exports.security = {
| domainWhiteList: [],
| protocolWhiteList: [],
| defaultMiddleware: 'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta',
|
| csrf: {
| enable: true,
| useSession: false,
| ignoreJSON: false,
| // can be function(ctx) or String
| cookieDomain: undefined,
| cookieName: 'csrfToken',
| sessionName: 'csrfToken',
| headerName: 'x-csrf-token',
| bodyName: '_csrf',
| queryName: '_csrf',
| },
|
| xframe: {
| enable: true,
| // 'SAMEORIGIN', 'DENY' or 'ALLOW-FROM http://example.jp'
| value: 'SAMEORIGIN',
| },
|
| hsts: {
| enable: false,
| maxAge: 365 * 24 * 3600,
| includeSubdomains: false,
| },
|
| dta: {
| enable: true,
| },
|
| methodnoallow: {
| enable: true,
| },
|
| noopen: {
| enable: true,
| },
|
| nosniff: {
| enable: true,
| },
|
| referrerPolicy: {
| enable: false,
| value: 'no-referrer-when-downgrade',
| },
|
| xssProtection: {
| enable: true,
| value: '1; mode=block',
| },
|
| csp: {
| enable: false,
| policy: {},
| },
|
| ssrf: {
| ipBlackList: null,
| checkAddress: null,
| },
| };
|
| exports.helper = {
| shtml: {
| },
| };
|
| return exports;
| };
|
|
