Want to skip the interview altogether? You can run _spartan init y, _spartan init Y, _spartan -D OR -spartan --default in your project root directory to build a default policy (name: ‘security.json’). After running one of these commands, _spartan will build a JSON file that assumes an internet-facing, locally-hosted web application

Subcomponent Enabled? Defaults
policy metadata true new policy #, Internet-facing web application
application dependencies true synk for dependency vuln detection
access controls true username/password for application enrollment; 3 default roles for authorization
apiPolicy false N/A
connections true uses Nodejs default ciphers; can also add the path to your certificates here*
contentValidation true attempts syntactic (is ‘date’ a Date) and semantic validation (is startDate before endDate)
databases true assumes local mongoDB && applies basic data tagging (public, private, top secret)
forms true forces autocomplete=“off”, does not allow method override and allows JSON content to be accepted
logging true names custom logging levels and /var/log/{appName} as location; provides “plumbing” for eventual pipe to kibana or logstash store (feature under development)
resource sharing false N/A
secrets management true “environment variables” set to null => see secrets management in the security.json section for more info on how to complete this
security headers true creates a content security policy (all directives set to “self”, implying a SAME-ORIGIN site); enables sandboxing, strict transport security & cache control headers
session management true sets cookie generation parameters (secure, httpOnly, same-site), session ID length & entropy as well as invalidation stipulations (e.g. invalidate on window close)

The default policy has apiPolicy and resourceSharing disabled by default and these two components are not included in the boilerplate.

To modify this, change the enabled flag to true in security.json for both subcomponents and then run _spartan --force to force the translation engine to reevaluate the policy with these changes in place. Alternatively, to enable these by default, you can change the default policy itself to set these values to true see the --set-as-default option in the command line section

(*) including the direct path to your certificates is NOT RECOMMENDED, though has been made available for feature completeness. You should consider this to be secret information and treated as such; consult the “secrets management” section in the security.json section for more information on how to do this.

The default policy is designed to be exceptionally strict. You should ABSOLUTELY review and modify the generated policy to ensure that it suits your applications’ needs, lest you may find your application unusable.