In order to generate your policy, _spartan has to learn about your application. _spartan asks about 10 questions and, after capturing the answers, generates a full policy file with some smart defaults. To start the process run _spartan init
in your project’s root directory
questions:
{
... // more things
message: 'Q0. What is the name of the application?'
... // more things
},
{
... //more things
message: 'Q1. Application Type : What kind of application is this? \n * Tip: How will MOST users interact with your application?',
... // more things
},
{
... // more things
message: "Q1.1 What is the application hostname? \n * Tip: How will users REACH your application, like: 'http://localhost:8080' or 'www.google.com'",
... // more things
},
{
... // more things
message: "Q2. Application Accessibility : Will the application be accessible over the Internet? \n * Tip : if this is a possibility in the future, say 'Yes'",
... // more things
},
{
... // more things
message: "Q3. User Sign-in : Will your application require any kind of sign-in or authentication functionality in order to utilize certain routes or services? \n * Tip : if this is a possibility in the future, say 'Yes'",
... // more things
},
{
... // more things
message: "Q4. Sessions : Will the application have predetermined session lengths or can users be logged in indefinitely? \n * Tip : if this is a possibility in the future, say 'Yes'",
... // more things
},
{
... // more things
message: 'Q4.1 What is the default session length (TTL) in seconds?',
... // more things
},
{
... // more things
message: "Q5. Connection Security : Does the application force secure transport (HTTPS, SSH, etc) throughout? \n * Tip : if your application responds to requests over non-secure means on any component say 'No'",
... // more things
},
{
... // more things
message: "Q6. Content Acquisition : Is all of the data/content generated and processed within your application? \n * Tip : if you plan to use external APIs at any point, choose the second answer. You'll have the opportunity to specify these sources later",
... // more things
},
{
... // more things
message: "Q6.1. Content Sources: Sweet! What are those sources? (JSON)\n * Tip: While specificity is more secure, it's also limiting. Use '*' operand for more flexible options. Use the formatting in the default",
default: '{"default" : ["\'self\'", "\'www.redit.com\'"], "media" : ["\'self\'", "\'*.pinterest.com\'", "\'https://*.flickr.com\'", "\'ftp://video.domain.com:21\'"], "images" : ["\'self\'"], "styles" : ["\'*.bootstrap.com\'", "\'https://materializecss.com\'", "\'self\'"], "scripts" : ["\'self\'"], "frames" : ["\'none\'"]}',
// ^^^ this sets up both the content security policy as well as the cors policy (if configured)
... // more things
},
{
... // more things
message: 'Q7. Forms: Will your application utilize input forms for data collection?\n * Tip : Consider collection of ratings, feedback, reviews, search, profiles etc...',
... // more things
},
{
... // more things
message: "Q8. Caching Strategy: Do you have any intention of introducing a caching layer or using a Content Delivery Network (CDN)?\n * Tip : If this is a possibility in the future, choose 'yes'.",
... // more things
},
{
... // more things
message: 'Q8.1. Cache Time To Live (TTL): For MOST public data generated by the application, how long (in seconds) should this information be cached?\n * Tip : Shorter TTLs will require more requests of the application origin; longer TTLs may result in stale, invalid data. You can override this on a per-route basis',
... // default is ~ 6 months (in seconds)
},
{
... // more things
message: 'Q9. Application Hosting : Where will application be deployed & hosted? \n * Tip : Looking for GCP, Serverless, AWS, Rackspace, Heroku or similar',
... // more things
},
{
... // more things
message: 'Q10. Logging and Auditing: Where will application logs be stored? (absolute path)',
... // more things
}
With so few questions, _spartan must make some inferences during the policy generation process and applies some smart defaults in building policy and boilerplate code. For more control over the values built into the policy, you can run the long from questions like this: _spartan init L
. This is a much longer interview process, but provides you with the most control over both the policy (security.json) as well as the boilerplate code