Edit Page

sails.config.security

Configuration for your app's security settings, including how it deals with cross-origin requests (CORS), and which routes require a CSRF token to be included with the request. For an overview of how Sails handles security, see Concepts > Security.

sails.config.security.cors

Configuration for Sails' built-in support for Cross-Origin Resource Sharing. CORS specifies how HTTP requests to your app originating from foreign domains should be treated. It is primarily used to allow third-party sites to make AJAX requests to your app, which are normally blocked by browsers following the same-origin policy.

These options are conventionally set in the config/security.js configuration file. Note that these settings (with the exception of allRoutes) can be changed on a per-route basis in the config/routes.js file.

Properties

Property Type Default Details
allRoutes false Indicates whether the other CORS configuration settings should apply to every route in the app by default.
allowOrigins or '*' Array of default hosts (beginning with http:// or https://) to grant cross-domain browser access (e.g. AJAX over CORS). Alternatively, if this is the string *, then AJAX requests from any domain will be allowed.

Warning: If your CORS settings specify allRoutes: true AND allowOrigins: '*', then your app will be fully accessible to sites hosted on foreign domains (except for routes which have their own CORS settings). If allowCredentials is also true, you will probably want to set this to an array of explicit hosts! If you don't, then the app will fail to lift for security reasons, unless you circumvent that precaution by enabling the allowAnyOriginWithCredentialsUnsafe: true flag.
allowRequestMethods 'GET, POST, PUT, DELETE, OPTIONS, HEAD' Comma-delimited list of HTTP methods that are allowed to be used in CORS requests. This is only used in response to preflight requests, so the inclusion of GET, POST, OPTIONS and HEAD, although customary, is not necessary.
allowRequestHeaders 'content-type' Comma-delimited list of headers that are allowed to be sent with CORS requests. This is only used in response to preflight requests. (For example, if you want cross-origin AJAX requests to be able to include their CSRF token as a request header, you might change this to 'content-type,x-csrf-token'.)
allowResponseHeaders '' List of response headers that browsers will be allowed to access. See access-control-expose-headers.
allowCredentials false Whether or not cookies can be shared in CORS requests. (For example, if allowCredentials is not enabled, then when Sails receives an AJAX request from a webpage on some other domain, it won't be able to provide req.session when the backend code runs.)
allowAnyOriginWithCredentialsUnsafe false A safety precaution. This flag must be enabled in order to use allowOrigins: '*' and allowCredentials: true at the same time. This essentially negates the security benefits of browsers' cross-origin policy and should be used very carefully.

Custom route config example

The following will allow cross-origin AJAX GET, PUT and POST requests to /foo/bar from sites hosted http://foobar.com and https://owlhoot.com. DELETE requests, or requests from sites on any other domains, will be blocked by the browser.

'/foo/bar': {
  action: 'foo/bar',
  cors: {
    allowOrigins: ['http://foobar.com','https://owlhoot.com'],
    allowRequestMethods: 'GET,PUT,POST,OPTIONS,HEAD'
  }
}

sails.config.security.csrf

Configuration for Sails' built-in CSRF protection middleware. CSRF options are conventionally set in the config/security.js configuration file. For detailed usage instructions, see Concepts > Security > Cross-Site Request Forgery.

This setting protects your Sails app against cross-site request forgery (or CSRF) attacks. In addition to the user's session cookie, a would-be attacker also needs this timestamped, secret CSRF token, which is refreshed/granted when the user visits a URL on your app's domain. This allows you to have certainty that your users' requests haven't been hijacked, and that the requests they're making are intentional and legitimate.

Properties

Property Type Default Details
csrf or false CSRF protection is disabled by default to facilitate development. To turn it on, just set sails.config.security.csrf to true, or for more flexibility, specify csrf: true or csrf: false in any route in your config/routes.js file.

Notes

  • In Sails v1.0, sails.config.csrf.grantTokenViaAjax and sails.config.csrf.origin were removed in favor of the built-in security/grant-csrf-token action.

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Sails logo
  • Home
  • Get started
  • Support
  • Documentation
  • Documentation

For a better experience on sailsjs.com, update your browser.

Check out the full Sailsconf 2022 playlist on Youtube

Tweet Follow @sailsjs

Documentation

Reference Concepts App structure | Upgrading Contribution guide | Tutorials More

Reference

  • Application
    • Advanced usage
      • Lifecycle
      • sails.LOOKS_LIKE_ASSET_RX
      • sails.getActions()
      • sails.getRouteFor()
      • sails.lift()
      • sails.load()
      • sails.lower()
      • sails.registerAction()
      • sails.registerActionMiddleware()
      • sails.reloadActions()
      • sails.renderView()
      • sails.request()
      • sails.getBaseUrl()
    • sails.config.custom
    • sails.getDatastore()
    • sails.getUrlFor()
    • sails.log()
  • Blueprint API
    • add to
    • create
    • destroy
    • find one
    • find where
    • populate where
    • remove from
    • replace
    • update
  • Command-line interface
    • sails --version
    • sails console
    • sails debug
    • sails generate
    • sails inspect
    • sails lift
    • sails new
  • Configuration
    • sails.config.*
    • sails.config.blueprints
    • sails.config.bootstrap()
    • sails.config.custom
    • sails.config.datastores
    • sails.config.globals
    • sails.config.http
    • sails.config.i18n
    • sails.config.log
    • sails.config.models
    • sails.config.policies
    • sails.config.routes
    • sails.config.security
    • sails.config.session
    • sails.config.sockets
    • sails.config.views
  • Request (`req`)
    • req._startTime
    • req.body
    • req.cookies
    • req.fresh
    • req.headers
    • req.hostname
    • req.ip
    • req.ips
    • req.isSocket
    • req.method
    • req.options
    • req.originalUrl
    • req.params
    • req.path
    • req.protocol
    • req.query
    • req.secure
    • req.signedCookies
    • req.socket
    • req.subdomains
    • req.url
    • req.wantsJSON
    • req.xhr
    • req.accepts()
    • req.acceptsCharsets()
    • req.acceptsLanguages()
    • req.allParams()
    • req.file()
    • req.get()
    • req.is()
    • req.param()
    • req.setLocale()
    • req.setTimeout()
    • req.host
  • Response (`res`)
    • res.attachment()
    • res.badRequest()
    • res.clearCookie()
    • res.cookie()
    • res.forbidden()
    • res.get()
    • res.json()
    • res.jsonp()
    • res.location()
    • res.notFound()
    • res.ok()
    • res.redirect()
    • res.send()
    • res.serverError()
    • res.set()
    • res.status()
    • res.type()
    • res.view()
    • res.negotiate()
  • Waterline (ORM)
    • Datastores
      • .driver
      • .manager
      • .leaseConnection()
      • .sendNativeQuery()
      • .transaction()
    • Models
      • .addToCollection()
      • .archive()
      • .archiveOne()
      • .avg()
      • .count()
      • .create()
      • .createEach()
      • .destroy()
      • .destroyOne()
      • .find()
      • .findOne()
      • .findOrCreate()
      • .getDatastore()
      • .removeFromCollection()
      • .replaceCollection()
      • .stream()
      • .sum()
      • .update()
      • .updateOne()
      • .validate()
      • .native()
      • .query()
    • Queries
      • .catch()
      • .decrypt()
      • .exec()
      • .fetch()
      • .intercept()
      • .limit()
      • .meta()
      • .populate()
      • .skip()
      • .sort()
      • .then()
      • .tolerate()
      • .toPromise()
      • .usingConnection()
      • .where()
    • Records
      • .toJSON()
  • WebSockets
    • Resourceful PubSub
      • .getRoomName()
      • .publish()
      • .subscribe()
      • .unsubscribe()
    • sails.sockets
      • .addRoomMembersToRooms()
      • .blast()
      • .broadcast()
      • .getId()
      • .join()
      • .leave()
      • .leaveAll()
      • .removeRoomMembersFromRooms()
      • sails.sockets.id()
    • Socket client
      • io.sails
      • io.socket
      • SailsSocket
        • Methods
        • Properties
      • io.socket.delete()
      • io.socket.get()
      • io.socket.off()
      • io.socket.on()
      • io.socket.patch()
      • io.socket.post()
      • io.socket.put()
      • io.socket.request()

Built with Love

The Sails framework is built by a web & mobile shop in Austin, TX, with the help of our contributors. We created Sails in 2012 to assist us on Node.js projects. Naturally we open-sourced it. We hope it makes your life a little bit easier!

Sails:
  • What is Sails?
  • Community
  • News
  • For business
About:
  • Our company
  • Security
  • Legal
  • Logos/artwork
Help:
  • Get started
  • Documentation
  • Docs
  • Contribute
  • Take a class

© 2012-2023 The Sails Company. 
The Sails framework is free and open-source under the MIT License. 
Illustrations by Edamame.