Want to skip the interview altogether? You can run _spartan init y, _spartan init Y, _spartan -D OR -spartan --default in your project root directory to build a default policy (name: ‘security.json’).
After running one of these commands, _spartan will build a JSON file that assumes an internet-facing, locally-hosted web application
| Subcomponent | Enabled? | Defaults |
|---|---|---|
| policy metadata | true | new policy #, Internet-facing web application |
| application dependencies | true | synk for dependency vuln detection |
| access controls | true | username/password for application enrollment; 3 default roles for authorization |
| apiPolicy | false | N/A |
| connections | true | uses Nodejs default ciphers; can also add the path to your certificates here* |
| contentValidation | true | attempts syntactic (is ‘date’ a Date) and semantic validation (is startDate before endDate) |
| databases | true | assumes local mongoDB && applies basic data tagging (public, private, top secret) |
| forms | true | forces autocomplete=“off”, does not allow method override and allows JSON content to be accepted |
| logging | true | names custom logging levels and /var/log/{appName} as location; provides “plumbing” for eventual pipe to kibana or logstash store (feature under development) |
| resource sharing | false | N/A |
| secrets management | true | “environment variables” set to null => see secrets management in the security.json section for more info on how to complete this |
| security headers | true | creates a content security policy (all directives set to “self”, implying a SAME-ORIGIN site); enables sandboxing, strict transport security & cache control headers |
| session management | true | sets cookie generation parameters (secure, httpOnly, same-site), session ID length & entropy as well as invalidation stipulations (e.g. invalidate on window close) |
The default policy has apiPolicy and resourceSharing disabled by default and these two components are not included in the boilerplate.
To modify this, change the enabled flag to true in security.json for both subcomponents and then run _spartan --force to force the translation engine to reevaluate the policy with these changes in place. Alternatively, to enable these by default, you can change the default policy itself to set these values to true see the --set-as-default option in the command line section
(*) including the direct path to your certificates is NOT RECOMMENDED, though has been made available for feature completeness. You should consider this to be secret information and treated as such; consult the “secrets management” section in the security.json section for more information on how to do this.
The default policy is designed to be exceptionally strict. You should ABSOLUTELY review and modify the generated policy to ensure that it suits your applications’ needs, lest you may find your application unusable.