feat: implementation of csrf, csp and secure cookies

backend/adonisrc.ts

@@ -43,6 +43,7 @@ export default defineConfig({
       environment: ["console"],
     },
     () => import("@adonisjs/mail/mail_provider"),
+    () => import("@adonisjs/shield/shield_provider"),
   ],
 
   /*

backend/config/cors.ts

@@ -1,5 +1,7 @@
 import { defineConfig } from "@adonisjs/cors";
 
+import env from "#start/env";
+
 /**
  * Configuration options to tweak the CORS policy. The following
  * options are documented on the official documentation website.
@@ -8,7 +10,7 @@ import { defineConfig } from "@adonisjs/cors";
  */
 const corsConfig = defineConfig({
   enabled: true,
-  origin: true,
+  origin: env.get("CORS_ORIGIN", "planer.solvro.pl").split(","),
   methods: ["GET", "HEAD", "POST", "PUT", "DELETE"],
   headers: true,
   exposeHeaders: [],

backend/config/shield.ts

@@ -0,0 +1,51 @@
+import { defineConfig } from "@adonisjs/shield";
+
+const shieldConfig = defineConfig({
+  /**
+   * Configure CSP policies for your app. Refer documentation
+   * to learn more
+   */
+  csp: {
+    enabled: false,
+    directives: {},
+    reportOnly: false,
+  },
+
+  /**
+   * Configure CSRF protection options. Refer documentation
+   * to learn more
+   */
+  csrf: {
+    enabled: true,
+    exceptRoutes: ["/user/login"],
+    enableXsrfCookie: true,
+    methods: ["POST", "PUT", "PATCH", "DELETE"],
+  },
+
+  /**
+   * Control how your website should be embedded inside
+   * iFrames
+   */
+  xFrame: {
+    enabled: true,
+    action: "DENY",
+  },
+
+  /**
+   * Force browser to always use HTTPS
+   */
+  hsts: {
+    enabled: true,
+    maxAge: "180 days",
+  },
+
+  /**
+   * Disable browsers from sniffing the content type of a
+   * response and always rely on the "content-type" header.
+   */
+  contentTypeSniffing: {
+    enabled: true,
+  },
+});
+
+export default shieldConfig;

backend/package.json

@@ -46,6 +46,7 @@
     "@adonisjs/lucid": "^21.2.0",
     "@adonisjs/mail": "^9.2.2",
     "@adonisjs/session": "^7.5.0",
+    "@adonisjs/shield": "^8.1.2",
     "@maximemrf/adonisjs-jwt": "^0.2.2",
     "@vinejs/vine": "^2.1.0",
     "adonis-autoswagger": "^3.64.0",

backend/start/kernel.ts

@@ -35,6 +35,7 @@ router.use([
   () => import("@adonisjs/core/bodyparser_middleware"),
   () => import("@adonisjs/session/session_middleware"),
   () => import("@adonisjs/auth/initialize_auth_middleware"),
+  () => import("@adonisjs/shield/shield_middleware"),
 ]);
 
 /**