Edit Page

`sails.config.security`

Configuration for your app's security settings, including how it deals with cross-origin requests (CORS), and which routes require a CSRF token to be included with the request. For an overview of how Sails handles security, see Concepts > Security.

`sails.config.security.cors`

Configuration for Sails' built-in support for Cross-Origin Resource Sharing. CORS specifies how HTTP requests to your app originating from foreign domains should be treated. It is primarily used to allow third-party sites to make AJAX requests to your app, which are normally blocked by browsers following the same-origin policy.

These options are conventionally set in the config/security.js configuration file. Note that these settings (with the exception of allRoutes) can be changed on a per-route basis in the config/routes.js file.

Properties

Property	Type	Default	Details
allRoutes	Boolean	false	Indicates whether the other CORS configuration settings should apply to every route in the app by default.
allowOrigins	Array or String	`'*'`	Array of default hosts (beginning with http:// or https://) to grant cross-domain browser access (e.g. AJAX over CORS). Alternatively, if this is the string ``, then AJAX requests from any* domain will be allowed. Warning: If your CORS settings specify `allRoutes: true` AND `allowOrigins: ''`, then your app will be fully accessible to sites hosted on foreign domains (except for routes which have their own CORS settings). If `allowCredentials` is also `true`, you will probably want to set this to an array of explicit hosts!* If you don't, then the app will fail to lift for security reasons, unless you circumvent that precaution by enabling the `allowAnyOriginWithCredentialsUnsafe: true` flag.
allowRequestMethods	String	`'GET, POST, PUT, DELETE, OPTIONS, HEAD'`	Comma-delimited list of HTTP methods that are allowed to be used in CORS requests. This is only used in response to preflight requests, so the inclusion of GET, POST, OPTIONS and HEAD, although customary, is not necessary.
allowRequestHeaders	String	`'content-type'`	Comma-delimited list of headers that are allowed to be sent with CORS requests. This is only used in response to preflight requests. (For example, if you want cross-origin AJAX requests to be able to include their CSRF token as a request header, you might change this to `'content-type,x-csrf-token'`.)
allowResponseHeaders	String	`''`	List of response headers that browsers will be allowed to access. See access-control-expose-headers.
allowCredentials	Boolean	false	Whether or not cookies can be shared in CORS requests. (For example, if `allowCredentials` is not enabled, then when Sails receives an AJAX request from a webpage on some other domain, it won't be able to provide `req.session` when the backend code runs.)
allowAnyOriginWithCredentialsUnsafe	Boolean	false	A safety precaution. This flag must be enabled in order to use `allowOrigins: ''` and `allowCredentials: true` at the same time*. This essentially negates the security benefits of browsers' cross-origin policy and should be used very carefully.

Custom route config example

The following will allow cross-origin AJAX GET, PUT and POST requests to /foo/bar from sites hosted http://foobar.com and https://owlhoot.com. DELETE requests, or requests from sites on any other domains, will be blocked by the browser.

'/foo/bar': {
  action: 'foo/bar',
  cors: {
    allowOrigins: ['http://foobar.com','https://owlhoot.com'],
    allowRequestMethods: 'GET,PUT,POST,OPTIONS,HEAD'
  }
}

`sails.config.security.csrf`

Configuration for Sails' built-in CSRF protection middleware. CSRF options are conventionally set in the config/security.js configuration file. For detailed usage instructions, see Concepts > Security > Cross-Site Request Forgery.

This setting protects your Sails app against cross-site request forgery (or CSRF) attacks. In addition to the user's session cookie, a would-be attacker also needs this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain. This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.

Properties

Property	Type	Default	Details
`csrf`	Boolean or Dictionary	false	CSRF protection is disabled by default to facilitate development. To turn it on, just set `sails.config.security.csrf` to `true`, or for more flexibility, specify `csrf: true` or `csrf: false` in any route in your `config/routes.js` file.

Notes

In Sails v1.0, sails.config.csrf.grantTokenViaAjax and sails.config.csrf.origin were removed in favor of the built-in security/grant-csrf-token action.

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Documentation

Reference

Built with Love

The Sails framework is built by a web & mobile shop in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!

Sails:

About:

Help:

© 2012-2025 The Sails Company.
The Sails framework is free and open-source under the MIT License.
Illustrations by Edamame.