Edit Page

sails.config.security

Configuration for your app's security settings, including how it deals with cross-origin requests (CORS), and which routes require a CSRF token to be included with the request. For an overview of how Sails handles security, see Concepts > Security.

sails.config.security.cors

#

Configuration for Sails' built-in support for Cross-Origin Resource Sharing. CORS specifies how HTTP requests to your app originating from foreign domains should be treated. It is primarily used to allow third-party sites to make AJAX requests to your app, which are normally blocked by browsers following the same-origin policy.

These options are conventionally set in the config/security.js configuration file. Note that these settings (with the exception of allRoutes) can be changed on a per-route basis in the config/routes.js file.

Properties

#
Property Type Default Details
allRoutes Boolean false Indicates whether the other CORS configuration settings should apply to every route in the app by default.
allowOrigins Array or String '*' Array of default hosts (beginning with http:// or https://) to grant cross-domain browser access (e.g. AJAX over CORS). Alternatively, if this is the string *, then AJAX requests from any domain will be allowed.

Warning: If your CORS settings specify allRoutes: true AND allowOrigins: '*', then your app will be fully accessible to sites hosted on foreign domains (except for routes which have their own CORS settings). If allowCredentials is also true, you will probably want to set this to an array of explicit hosts! If you don't, then the app will fail to lift for security reasons, unless you circumvent that precaution by enabling the allowAnyOriginWithCredentialsUnsafe: true flag.
allowRequestMethods String 'GET, POST, PUT, DELETE, OPTIONS, HEAD' Comma-delimited list of HTTP methods that are allowed to be used in CORS requests. This is only used in response to preflight requests, so the inclusion of GET, POST, OPTIONS and HEAD, although customary, is not necessary.
allowRequestHeaders String 'content-type' Comma-delimited list of headers that are allowed to be sent with CORS requests. This is only used in response to preflight requests. (For example, if you want cross-origin AJAX requests to be able to include their CSRF token as a request header, you might change this to 'content-type,x-csrf-token'.)
allowResponseHeaders String '' List of response headers that browsers will be allowed to access. See access-control-expose-headers.
allowCredentials Boolean false Whether or not cookies can be shared in CORS requests. (For example, if allowCredentials is not enabled, then when Sails receives an AJAX request from a webpage on some other domain, it won't be able to provide req.session when the backend code runs.)
allowAnyOriginWithCredentialsUnsafe Boolean false A safety precaution. This flag must be enabled in order to use allowOrigins: '*' and allowCredentials: true at the same time. This essentially negates the security benefits of browsers' cross-origin policy and should be used very carefully.

Custom route config example

#

The following will allow cross-origin AJAX GET, PUT and POST requests to /foo/bar from sites hosted http://foobar.com and https://owlhoot.com. DELETE requests, or requests from sites on any other domains, will be blocked by the browser.

'/foo/bar': {
  action: 'foo/bar',
  cors: {
    allowOrigins: ['http://foobar.com','https://owlhoot.com'],
    allowRequestMethods: 'GET,PUT,POST,OPTIONS,HEAD'
  }
}

sails.config.security.csrf

#

Configuration for Sails' built-in CSRF protection middleware. CSRF options are conventionally set in the config/security.js configuration file. For detailed usage instructions, see Concepts > Security > Cross-Site Request Forgery.

This setting protects your Sails app against cross-site request forgery (or CSRF) attacks. In addition to the user's session cookie, a would-be attacker also needs this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain. This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.

Properties

#
Property Type Default Details
csrf Boolean or Dictionary false CSRF protection is disabled by default to facilitate development. To turn it on, just set sails.config.security.csrf to true, or for more flexibility, specify csrf: true or csrf: false in any route in your config/routes.js file.

Notes

#

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Reference

Reference