sails.config.security
Configuration for your app's security settings, including how it deals with cross-origin requests (CORS), and which routes require a CSRF token to be included with the request. For an overview of how Sails handles security, see Concepts > Security.
sails.config.security.cors
Configuration for Sails' built-in support for Cross-Origin Resource Sharing. CORS specifies how HTTP requests to your app originating from foreign domains should be treated. It is primarily used to allow third-party sites to make AJAX requests to your app, which are normally blocked by browsers following the same-origin policy.
These options are conventionally set in the config/security.js configuration file. Note that these settings (with the exception of allRoutes) can be changed on a per-route basis in the config/routes.js file.
Properties
| Property | Type | Default | Details |
|---|---|---|---|
| allRoutes | false | Indicates whether the other CORS configuration settings should apply to every route in the app by default. | |
| allowOrigins | '*' |
Array of default hosts (beginning with http:// or https://) to grant cross-domain browser access (e.g. AJAX over CORS). Alternatively, if this is the string *, then AJAX requests from any domain will be allowed.Warning: If your CORS settings specify allRoutes: true AND allowOrigins: '*', then your app will be fully accessible to sites hosted on foreign domains (except for routes which have their own CORS settings). If allowCredentials is also true, you will probably want to set this to an array of explicit hosts! If you don't, then the app will fail to lift for security reasons, unless you circumvent that precaution by enabling the allowAnyOriginWithCredentialsUnsafe: true flag. |
|
| allowRequestMethods | 'GET, POST, PUT, DELETE, OPTIONS, HEAD' |
Comma-delimited list of HTTP methods that are allowed to be used in CORS requests. This is only used in response to preflight requests, so the inclusion of GET, POST, OPTIONS and HEAD, although customary, is not necessary. | |
| allowRequestHeaders | 'content-type' |
Comma-delimited list of headers that are allowed to be sent with CORS requests. This is only used in response to preflight requests. (For example, if you want cross-origin AJAX requests to be able to include their CSRF token as a request header, you might change this to 'content-type,x-csrf-token'.) |
|
| allowResponseHeaders | '' |
List of response headers that browsers will be allowed to access. See access-control-expose-headers. | |
| allowCredentials | false | Whether or not cookies can be shared in CORS requests. (For example, if allowCredentials is not enabled, then when Sails receives an AJAX request from a webpage on some other domain, it won't be able to provide req.session when the backend code runs.) |
|
| allowAnyOriginWithCredentialsUnsafe | false | A safety precaution. This flag must be enabled in order to use allowOrigins: '*' and allowCredentials: true at the same time. This essentially negates the security benefits of browsers' cross-origin policy and should be used very carefully. |
Custom route config example
The following will allow cross-origin AJAX GET, PUT and POST requests to /foo/bar from sites hosted http://foobar.com and https://owlhoot.com. DELETE requests, or requests from sites on any other domains, will be blocked by the browser.
'/foo/bar': {
action: 'foo/bar',
cors: {
allowOrigins: ['http://foobar.com','https://owlhoot.com'],
allowRequestMethods: 'GET,PUT,POST,OPTIONS,HEAD'
}
}
sails.config.security.csrf
Configuration for Sails' built-in CSRF protection middleware. CSRF options are conventionally set in the config/security.js configuration file. For detailed usage instructions, see Concepts > Security > Cross-Site Request Forgery.
This setting protects your Sails app against cross-site request forgery (or CSRF) attacks. In addition to the user's session cookie, a would-be attacker also needs this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain. This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.
Properties
| Property | Type | Default | Details |
|---|---|---|---|
csrf |
false | CSRF protection is disabled by default to facilitate development. To turn it on, just set sails.config.security.csrf to true, or for more flexibility, specify csrf: true or csrf: false in any route in your config/routes.js file. |
Notes
- In Sails v1.0,
sails.config.csrf.grantTokenViaAjaxandsails.config.csrf.originwere removed in favor of the built-insecurity/grant-csrf-tokenaction.
For a better experience on sailsjs.com, update your browser.
Reference
- Application
- Blueprint API
- Command-line interface
-
Configuration
- sails.config.*
- sails.config.blueprints
- sails.config.bootstrap()
- sails.config.custom
- sails.config.datastores
- sails.config.globals
- sails.config.http
- sails.config.i18n
- sails.config.log
- sails.config.models
- sails.config.policies
- sails.config.routes
- sails.config.security
- sails.config.session
- sails.config.sockets
- sails.config.views
-
Request (`req`)
- req._startTime
- req.body
- req.cookies
- req.fresh
- req.headers
- req.hostname
- req.ip
- req.ips
- req.isSocket
- req.method
- req.options
- req.originalUrl
- req.params
- req.path
- req.protocol
- req.query
- req.secure
- req.signedCookies
- req.socket
- req.subdomains
- req.url
- req.wantsJSON
- req.xhr
- req.accepts()
- req.acceptsCharsets()
- req.acceptsLanguages()
- req.allParams()
- req.file()
- req.get()
- req.is()
- req.param()
- req.setLocale()
- req.setTimeout()
- req.host
- Response (`res`)
- Waterline (ORM)
- WebSockets
Built with Love
The Sails framework is built by a web & mobile shop in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!
© 2012-2023 The Sails Company.
The Sails framework is free and open-source under the MIT License.
Illustrations by Edamame.