{"id":19631394,"url":"https://github.com/atilafassina/shieldwall","last_synced_at":"2025-06-15T17:34:17.374Z","repository":{"id":260521661,"uuid":"868113302","full_name":"atilafassina/shieldwall","owner":"atilafassina","description":"Secure your Fullstack App 🛡️","archived":false,"fork":false,"pushed_at":"2025-02-25T17:12:33.000Z","size":217,"stargazers_count":28,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-21T08:09:55.316Z","etag":null,"topics":["content-security-policy","middleware","owasp","security","serverless","solidjs","solidstart","typescript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atilafassina.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"AtilaFassina"}},"created_at":"2024-10-05T14:09:33.000Z","updated_at":"2025-04-21T03:42:36.000Z","dependencies_parsed_at":"2025-02-25T15:22:40.106Z","dependency_job_id":"cead6a89-085d-47e9-a746-c5bff37fe20b","html_url":"https://github.com/atilafassina/shieldwall","commit_stats":null,"previous_names":["atilafassina/shieldwall"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atilafassina%2Fshieldwall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atilafassina%2Fshieldwall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atilafassina%2Fshieldwall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atilafassina%2Fshieldwall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atilafassina","download_url":"https://codeload.github.com/atilafassina/shieldwall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251265800,"owners_count":21561739,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","middleware","owasp","security","serverless","solidjs","solidstart","typescript"],"created_at":"2024-11-11T12:08:52.421Z","updated_at":"2025-04-28T06:33:05.465Z","avatar_url":"https://github.com/atilafassina.png","language":"TypeScript","funding_links":["https://github.com/sponsors/AtilaFassina"],"categories":["TypeScript"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eShieldWall\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003eSecurity for your Fullstack App 🛡️\u003c/p\u003e\n\n## Install\n\n```sh\npnpm add shieldwall\n```\n\n## Usage\n\nThis package aims to support every framework runtime powered by [h3](https://h3.unjs.io), but at this moment only [SolidStart](https://start.solidjs.com) has first-class adapters.\n\n### SolidStart\n\nThe exports are out-of-the-box middleware handlers.\nIf you need help creating middlewares in SolidStart you can [check the docs](https://docs.solidjs.com/solid-start/advanced/middleware).\n\n```ts\nimport { createMiddleware } from \"@solidjs/start/middleware\";\nimport { securityHeaders, csp, csrf } from \"shieldwall/start\";\nimport { SELF } from \"shieldwall/start/csp\";\n\nexport default createMiddleware({\n\tonRequest: [\n\t\tcsrf,\n\t\tsecurityHeaders(),\n\t\tcsp({\n\t\t\textend: \"production_basic\",\n\t\t\tconfig: {\n\t\t\t\twithNonce: true,\n\t\t\t\treportOnly: true,\n\t\t\t\tvalue: {\n\t\t\t\t\t\"frame-src\": [SELF],\n\t\t\t\t},\n\t\t\t},\n\t\t}),\n\t],\n});\n```\n\nThe CSP must add `nonce` on every request and append to script and link tags.\n\n```diff\n import { createHandler, StartServer } from \"@solidjs/start/server\";\n\n export default createHandler(\n () =\u003e (\n \u003cStartServer\n document={({ assets, children, scripts }) =\u003e (\n \u003chtml lang=\"en\"\u003e\n \u003chead\u003e\n \u003cmeta charset=\"utf-8\" /\u003e\n \u003cmeta\n name=\"viewport\"\n content=\"width=device-width, initial-scale=1\"\n /\u003e\n \u003clink rel=\"icon\" href=\"/favicon.ico\" /\u003e\n {assets}\n \u003c/head\u003e\n \u003cbody class=\"overflow-x-hidden bg-gradient-to-bl from-sky-950\n to-neutral-900\"\u003e\n \u003cdiv\n id=\"app\"\n class=\"bg-blur-purple min-h-screen grid-cols-[auto,1fr,au\n to]\"\n \u003e\n {children}\n \u003c/div\u003e\n {scripts}\n \u003c/body\u003e\n \u003c/html\u003e\n )}\n /\u003e\n ),\n-\n+ (event) =\u003e ({ nonce: `nonce-${event.locals.nonce}` })\n )\n```\n\n## Middlewares\n\nThis package exports 2 middlewares to be used as drop-in: `csrfProtection` and `secureRequest`.\n\n### CSRF Protection\n\nIn a CSRF (Cross-Site Request Forgery) attack, a malicious actor tricks a user's browser into making unwanted requests to another site where the user is authenticated.\nBy exploiting the fact that browsers automatically include cookies (including session cookies) with each request to a domain.\nThis allows the attacker to trigger a mutation in the origin server (e.g.: change of password, email, etc).\n\nThere are different strategies to prevent this form of attack, this middleware checks the HTTP headers to ensure the domain issuing the request is the same receiving it for `POST`.\n\nIf the request is to be blocked, the server will respond with a [`403`](https://http.cat/403) status.\n\n```ts\nexport const csrfProtection: RequestMiddleware = (event) =\u003e {\n\tif (csrfBlocker(event) === \"block\") {\n\t\t// eslint-disable-next-line n/no-unsupported-features/node-builtins\n\t\tevent.nativeEvent.respondWith(new Response(null, { status: 403 }));\n\t\treturn;\n\t}\n};\n```\n\n### Security Headers\n\nThis middleware will append multiple HTTP Headers to **every request** hitting the server.\n\n| Header Name | Description |\n| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| Strict-Transport-Security | Enforces secure (HTTPS) connections to the server. |\n| X-Frame-Options | Prevents [clickjacking](https://owasp.org/www-community/attacks/Clickjacking) by controlling whether a browser can display a page in a frame or iframe. |\n| X-Content-Type-Options | Prevents `MIME` type sniffing by instructing browsers to follow the declared content type. |\n| Referrer-Policy | Controls how much referrer information is included with requests. |\n| Permissions-Policy | Manages permissions for APIs and features in the browser. |\n| X-XSS-Protection | Fitlers cross-site scripting (XSS) in the browser. |\n| Cross-Origin-Opener-Policy | Isolates browsing contexts to prevent cross-origin attacks. |\n| Cross-Origin-Resource-Policy | Restricts which origins can load resources. |\n| Access-Control-Allow-Origin | Specifies which origins can access the resources via cross-origin requests. |\n| Content-Security-Policy\\* | Defines policies to prevent a wide range of attacks, including XSS and data injection. |\n| Content-Security-Policy-Report-Only\\* | Same as Content-Security-Policy, but does not block, only reports to a passed URI. |\n\n\u003csmall\u003e\n* CSP headers have different defaults if in production or development and these are documented below.\n\u003c/small\u003e\n\nThe default values for each header can be found in [defaults.ts](https://github.com/atilafassina/shieldwall/blob/main/src/lib/defaults.ts#L39-L47) file.\nThey are strict by default and can be relaxed via configuration\n\n\u003e [!TIP]\n\u003e For an extra layer of security, once the Strict-Transport-Security (HSTS) is set, you can register your domain on the [HSTS Preload List](https://hstspreload.org/).\n\n## Content-Security-Policy\n\nGiven the complex nature of [Content-Security-Policy (CSP)](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) header, there is a lot of nuance on how to properly configure it and no _one-size-fits-all_ solution.\n\n\u003e [!WARNING]\n\u003e Please note that for Hot-Module Replacement to work it's required that we relax them during development to allow for inline-styles and inline-scripts.\n\u003e So there are different settings for **development** and **production**.\n\u003e We have extensible templates for `dev_hmr_friendly` and `production_basic` to be used in each scenario respectively.\n\nAdditionally, CSP allows for [`nonce`](https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce) hashes to fully secure your application against [XSS](https://owasp.org/www-community/attacks/xss/), it will work out-of-the-box for the header and you must add it on your scripts and stylesheets as [shown on usage](#usage).\n\n### Implementation Tip\n\nIt's possible to have 2 CSPs at the same time, so rolling out changes can be done gradually.\n\n```ts\nimport { createMiddleware } from \"@solidjs/start/middleware\";\nimport { csp } from \"shieldwall/start\";\n\nexport default createMiddleware({\n\tonRequest: [\n\t\tcsp({\n\t\t\textend: \"production_basic\",\n\t\t\tconfig: {\n\t\t\t\twithNonce: true,\n\t\t\t\treportOnly: true, // warns, doesn't block\n\t\t\t},\n\t\t}),\n\t\tcsp({ extend: \"dev_hmr_friendly\", config: { withNonce: false } }), // blocks\n\t],\n});\n```\n\n## Contributors\n\n\u003c!-- spellchecker: disable --\u003e\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003ctable\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://atila.io/\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/2382552?v=4?s=100\" width=\"100px;\" alt=\"Atila Fassina\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eAtila Fassina\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/atilafassina/shieldwall/commits?author=atilafassina\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"#content-atilafassina\" title=\"Content\"\u003e🖋\u003c/a\u003e \u003ca href=\"https://github.com/atilafassina/shieldwall/commits?author=atilafassina\" title=\"Documentation\"\u003e📖\u003c/a\u003e \u003ca href=\"#ideas-atilafassina\" title=\"Ideas, Planning, \u0026 Feedback\"\u003e🤔\u003c/a\u003e \u003ca href=\"#infra-atilafassina\" title=\"Infrastructure (Hosting, Build-Tools, etc)\"\u003e🚇\u003c/a\u003e \u003ca href=\"#maintenance-atilafassina\" title=\"Maintenance\"\u003e🚧\u003c/a\u003e \u003ca href=\"#projectManagement-atilafassina\" title=\"Project Management\"\u003e📆\u003c/a\u003e \u003ca href=\"#tool-atilafassina\" title=\"Tools\"\u003e🔧\u003c/a\u003e\u003c/td\u003e\n \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://danieljcafonso.com\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/35337607?v=4?s=100\" width=\"100px;\" alt=\"Daniel Afonso\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eDaniel Afonso\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/atilafassina/shieldwall/commits?author=danieljcafonso\" title=\"Code\"\u003e💻\u003c/a\u003e\u003c/td\u003e\n \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"http://www.joshuakgoldberg.com/\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/3335181?v=4?s=100\" width=\"100px;\" alt=\"Josh Goldberg ✨\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eJosh Goldberg ✨\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"#tool-JoshuaKGoldberg\" title=\"Tools\"\u003e🔧\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003c!-- markdownlint-restore --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\u003c!-- spellchecker: enable --\u003e\n\n\u003c!-- You can remove this notice if you don't want it 🙂 no worries! --\u003e\n\n\u003e 💙 This package was templated with [`create-typescript-app`](https://github.com/JoshuaKGoldberg/create-typescript-app).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatilafassina%2Fshieldwall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatilafassina%2Fshieldwall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatilafassina%2Fshieldwall/lists"}