Baroshem Nuxt Security Versions Save

πŸ›‘ Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware

v1.4.0

3 weeks ago

1.4.0 πŸŽ‰

This version is a significant rewrite of the core engine of Nuxt Security, motivated primarily by the introduction of runtime hooks in PR https://github.com/Baroshem/nuxt-security/pull/298 by @huang-julien and comments thereon by @harlan-zw.

Huge kudos to @vejja for delivering this great functionality πŸ’š

Full Route-Level Compatibility

This great addition by Sebastien is well detailed here https://github.com/Baroshem/nuxt-security/pull/429 but as short summary can be seen below.

New features

  • All security options can now be modified via runtime hooks It is now possible to modify any of the Nuxt Security options, and not solely the headers : any other option such as hidePoweredBy, rateLimiter, is now taken into consideration and applied at route level.

  • Route rules are now consistently merged The router merging strategy is now the same irrespective of the way the security options are set (inline, global, routeRules, and runtime hooks). Previously, it was a mix of defu, defuReplaceArray, and plain overwriting - leading to confusion on how nested rules would apply (see https://github.com/Baroshem/nuxt-security/issues/430 for instance). We now apply the defuReplaceArray strategy across the board.

  • Clear scoping of security headers to HTML pages, SWR support We now make a clearer distinction between the scope of Nitro plugins (modifying HTML pages and their headers) and the scope of Server middlewares (functions that apply to all routes). This avoids to overwrite headers of non-HTML assets with irrelevant options, and as a result we are able to support SWR natively.

  • Route-level support of RateLimiter Thanks to the ability to resolveSecurityRoutes at runtime, we are now able to support route-based definitions for the Rate Limiter. This solves the issue of getting 429 denials for routes where we want to have a higher rate limit. We also take this opportunity to solve the issue of getting 429s when pre-rendering.

New runtime hook

This PR introduces a new runtime hook : nuxt-security:routeRules, that allows to modify any security rule on any route. With this hook, the user is now able to apply any strategy for the rule (merge, overwrite, append, etc.).

nitroApp.hooks.hook('nuxt-security:routeRules', async routeRules => {
  // any kind of modification of routeRules here, such as :
  routeRules['/my-route'] = ...
 })

The former nuxt-security:ready & nuxt-security:headers hooks are still supported but we are soft-depecrating them by removing them from the documentation.

Additional notes

This version also soft-deprecates the substitution merging via string syntax feature. This is now rendered unnecessary because the defuReplaceArray strategy is applied consistently everywhere.

We are removing corresponding mentions in the documentation, which were confusing (it only applied to headers, and it only applied in the router merging step but not in the definition step). The feature still exists to maintain backwards compatibility.

Please note that some security options can only be applied globally (removeLoggers, csrf and basicAuth) because they depend on third-party modules. The TypeScript definitions have been updated to remove these 3 options from the properties that can be set at route-level.

πŸ—žοΈ Next steps

We are planning a new release soon with the Nuxt DevTools Tab support πŸš€

πŸ‘‰ Changelog compare changes

❀️ Contributors

  • @vejja
  • @Jesse1989pp made their first contribution
  • @Dominic-Marcelino made their first contribution
  • @snepsnepy made their first contribution

What's Changed

v1.3.0

1 month ago

1.3.0 πŸŽ‰

This version brings several bugfixes and small new features.

Kudos to all contributors! πŸ’š

πŸ—žοΈ Next steps

We are already planning a release 1.3.0 that will include support for rate limiter global and per route as well as protecting api πŸš€

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • fetch buffers from storage and convert to object
  • enhance FormData with XSS validation feature

🩹 Fixes

  • remove frame-ancestors from meta
  • generate meta tag without html,head,body tags
  • do not decode entities in HTML
  • opt in to import.meta.* properties
  • set nonce in response headers instead of using configuration

πŸ“– Documentation

  • use new nuxi module add command in installation

🏑 Chore

πŸ€– CI

❀️ Contributors

  • @vejja
  • @huang-julien
  • @Ray0907 made their first contribution
  • @danielroe
  • @mtdvlpr

What's Changed

v1.2.0

2 months ago

1.2.0 πŸŽ‰

This version brings several bugfixes and small new features mostly related to XSS Validator.

Kudos to all contributors! πŸ’š

πŸ—žοΈ Next steps

We are already planning a release 1.3.0 that will include support for DevTools πŸš€

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • add escapeHtml option to XssValidator
  • allow users to configure methods for XSSValidator
  • disable meta tag for SSG mode

🩹 Fixes

  • add explicit imports for setHeader and removeResponseHeader in 00-context.ts
  • move middleware logic to beforeResponse

πŸ“– Documentation

  • fix the example for runtime hooks
  • handling state with care
  • add favicon fix

🏑 Chore

πŸ€– CI

❀️ Contributors

What's Changed

v1.1.0

3 months ago

1.1.0 πŸŽ‰

1.1.0 is the first minor release for a stable 1.0.0 version

The biggest feature of this version is a support for runtime config by @huang-julien ❀️ Take a look at below instructions to understand how to use it in your app.

If you need to change the headers configuration at runtime, it is possible to do it through nuxt-security:headers hook.

Enabling the option

This feature is optional, you can enable it with

export default defineNuxtConfig({
    modules: ['nuxt-security'],
    security: {
        runtimeHooks: true
    }
})

Within your nitro plugin. You can override the previous configuration of a route with nuxt-security:headers.

export default defineNitroPlugin((nitroApp) => {
    nitroApp.hooks.hook('nuxt-security:ready', () => {
        nitroApp.hooks.callHook('nuxt-security:headers', '/**' ,{
            contentSecurityPolicy: {
                "script-src": ["'self'", "'unsafe-inline'"],
            },
            xFrameOptions: false
        })
    })
})

And also, huge kudos to all contributors πŸŽ‰

πŸ—žοΈ Next steps

We are already planning a release 1.2.0 with additional cool features. Stay tuned! πŸš€

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • allow configuring headers in runtime
  • improving performance for SSG apps by cheerio optimizations

🩹 Fixes

  • disable 05-cspSsgPresets

πŸ“– Documentation

  • correct default for crossOriginEmbedderPolicy
  • add new video and introduction page
  • add favicon fix

🏑 Chore

πŸ€– CI

❀️ Contributors

  • vejja (@vejja)
  • Jonas Thelemann (@dargmuesli)
  • @CMarzin
  • @AfganAbbas
  • @huang-julien
  • @felix-dolderer

What's Changed

New Contributors

v1.0.0

5 months ago

1.0.0 πŸŽ‰

1.0.0 is the stable release

After five release candidate versions, we are now ready to present you a stable 1.0.0 release of NuxtSecurity. We have spent a lot of time trying to stabilise the API while constantly improving the security by implementing features like:

  • Strict Content Security Policy
  • Improved Rate Limiter
  • Subresource Integrity
  • Nonce
  • Per route Security headers configuration
  • Documentation about improving security of your Nuxt app

From this point I would like to thank @vejja who did an amazing work delivering a lot of functionalities mentioned both above and below. You are a magician! πŸš€

And also, huge kudos to all contributors πŸŽ‰

βœ… Migration Guide (0.14.X -> 1.0.0)

We have tried our best not to include significant breaking changes in the recent stable 1.0.0 version but some changes were necessary to improve quality of the module. Don't worry, we have prepared a migration guide with all the changes and how you should approach when migrating your current application to be up to date with 1.0.0 :)

1. Modifed the structure for alllowedMethodsRestricter

In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: ['GET']
  }
}

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: {
      methods: ['GET'],
      throwError?: true,
    }
  }
}

This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.

2. Changed the disabled value for permissionsPolicy

In the previous version, if you wanted to disable certain API like camera you would do something like this:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [()]
      },
    },
  },
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [] // This will block usage of camera by this website
      },
    },
  },
})

This change allows to fix an issue of passing several directives mentioned in #194

3. Changed the type of interval in rateLimiter

In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 'hour' | 60000
    }
  }
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 60000
    }
  }
})

This change was required to migrate to an updated rateLimiter that supports modern examples.

4. Nonce value

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

This change was necessary to resolve security vulnerability for nonce reported by vejja https://github.com/Baroshem/nuxt-security/pull/257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce

5. Strict Content Security Policy by default

In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.

If you are experiencing some issues with CSP, check out the new documentation about it:

  1. Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
  2. Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp

🍾 New features

This PR introduces per-route configuration of security headers, via

defineNuxtConfig({
  routeRules: {
    [some-route]: {
      security: {
        headers : ...
      }
    }
  }
})

πŸ—žοΈ Next steps

This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
  • improve rateLimiter with support for unstorage (#190)
  • remove console.logs after build (#128)
  • add an include option for basicAuth (#219)
  • option to disable hashing for SSG (#215)
  • support for CRSF in Serverless Environments
  • Add credentialless value to Cross-Origin-Embedder-Policy header
  • Export configuration type
  • Improve CSP Compliance
  • ensure csp plugins are added last
  • Extend CSP support of SSG mode
  • use cheerio HTML parser for CSP
  • hashStyles option
  • Strict CSP by default
  • SRI hashes for SSG mode
  • Subresource Integrity
  • Per-route object based headers configuration
  • Limiting CSP header to HTML responses only
  • Migrate to Node 18.X
  • Allow falling back to global options when per-route option is not provided

🩹 Fixes

  • useCsrf() is undefined (#203)
  • CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
  • upgrade-insecure-requests cannot be turned off for static build (#214)
  • invalid permission policy parser (#194)
  • remove broken test for nonce (#213)
  • Basic Auth Configuration for Multiple Paths
  • Nonce value is injected in all pre-rendered pages if the nonce option is set to true
  • failed to find a valid digest in the 'integrity' attribute
  • Strict-Transport-Security as string not parsing max-age correctly
  • Nuxt 3.8.1 breaks Subresource Integrity
  • Unrecognized Content-Security-Policy directive 'undefined'
  • Build fails because of removeLoggers
  • allow csp value to be false

πŸ“– Documentation

  • refactor docs to be easier (#135)
  • create faq section in docs from questions in Github issues (#192)
  • security composable to use in pages (#217)
  • Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (#218)
  • custom CSP merger (#198)
  • stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
  • update 3.rate-limiter.md fix comma (#204)
  • New section for Contributing
  • New section for Usage
  • Reorganised Navigation
  • Added global Search
  • New Homepage
  • New section for Headers
  • New section for utils
  • Embedded Playground
  • New page for Releases
  • Migrated to newest docus
  • New Preview Image
  • Per Route Security configuration with headers
  • Clarify rateLimiter interval property
  • Advanced documentation about Content Security Policy
  • Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ

🏑 Chore

  • remove legacy approach for middlewares in types and module.ts file (#191)
  • bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
  • Reorganized project repository for easier maintenance
  • specify package manager (#225)
  • do not use default export for defu (#224)
  • Improve TS config

πŸ€– CI

  • improved CI script for automatic unit tests for main, rc, and renovate branches

❀️ Contributors

  • vejja (@vejja)
  • Jonas Thelemann (@dargmuesli)
  • Thomas Rijpstra (@trijpstra-fourlights)
  • Nik (@n4an)
  • Daniel Roe (@danielroe)
  • Pooya Parsa (@pi0)
  • SΓ©bastien Chopin (@Atinux)
  • Mr. K V (@69u)
  • Jonas Thelemann (@dargmuesli)
  • LoΓ―s (@Applelo)
  • Max Druzhinin (@maxdzin)
  • Fabricio Carvalho (@fabricioOak)
  • nekotoriy (@nekotoriy)
  • Insomnius (@insomnius)
  • Boring Dragon (@boring-dragon)
  • Espen Solli Grande (@espensgr)
  • vejja (@vejja)
  • Tristan (@Tristan971)
  • nsratha (@rathahin)
  • Geeky Shows (@geekyshow1)

What's Changed

New Contributors

v1.0.0-rc.5

5 months ago

1.0.0-rc.5 is the next release candidate

🍾 New features

This PR introduces per-route configuration of security headers, via

defineNuxtConfig({
  routeRules: {
    [some-route]: {
      security: {
        headers : ...
      }
    }
  }
})

πŸ—žοΈ Next steps

This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • Per-route object based headers configuration
  • Limiting CSP header to HTML responses only
  • Migrate to Node 18.X
  • Allow falling back to global options when per-route option is not provided

🩹 Fixes

  • failed to find a valid digest in the 'integrity' attribute
  • Strict-Transport-Security as string not parsing max-age correctly
  • Nuxt 3.8.1 breaks Subresource Integrity
  • Unrecognized Content-Security-Policy directive 'undefined'
  • Build fails because of removeLoggers

πŸ“– Documentation

  • Per Route Security configuration with headers

❀️ Contributors

  • vejja (@vejja)

v1.0.0-rc.4

6 months ago

1.0.0-rc.4 is the next release candidate

πŸ—žοΈ Next steps

We are planning to release one or two more release candidate versions before a stable 1.0.0 version will be released.

βœ… Migration Guide

This version may include ⚠️ breaking changes but don't worry, we have prepared migration guide for you πŸ˜‰

In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.

If you are experiencing some issues with CSP, check out the new documentation about it:

  1. Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
  2. Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • hashStyles option
  • Strict CSP by default
  • SRI hashes for SSG mode
  • Subresource Integrity

🩹 Fixes

  • allow csp value to be false

πŸ“– Documentation

  • Advanced documentation about Content Security Policy
  • Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ

⚠️ Breaking Changes

  • Strict CSP

❀️ Contributors

  • vejja (@vejja)
  • Jonas Thelemann (@dargmuesli)
  • Geeky Shows (@geekyshow1)

v1.0.0-rc.3

6 months ago

1.0.0-rc.3 is the next release candidate

πŸ—žοΈ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

βœ… Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you πŸ˜‰

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

This change was necessary to resolve security vulnerability for nonce reported by vejja https://github.com/Baroshem/nuxt-security/pull/257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • Add credentialless value to Cross-Origin-Embedder-Policy header
  • Export configuration type
  • Improve CSP Compliance
  • ensure csp plugins are added last
  • Extend CSP support of SSG mode
  • use cheerio HTML parser for CSP

🩹 Fixes

  • Basic Auth Configuration for Multiple Paths
  • Nonce value is injected in all pre-rendered pages if the nonce option is set to true

πŸ“– Documentation

  • Clarify rateLimiter interval property

🏑 Chore

  • Improve TS config

⚠️ Breaking Changes

  • CSP Compliance

❀️ Contributors

  • Espen Solli Grande (@espensgr)
  • vejja (@vejja)
  • Tristan (@Tristan971)
  • Jonas Thelemann (@dargmuesli)
  • nsratha (@rathahin)

πŸ‹οΈβ€β™‚οΈ New Contributors

v1.0.0-rc.1

6 months ago

1.0.0-rc.1 is the first release candidate

πŸ—žοΈ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

βœ… Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you πŸ˜‰

Modifed the structure for alllowedMethodsRestricter

In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: ['GET']
  }
}

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: {
      methods: ['GET'],
      throwError?: true,
    }
  }
}

This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.

Changed the disabled value for permissionsPolicy

In the previous version, if you wanted to disable certain API like camera you would do something like this:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [()]
      },
    },
  },
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [] // This will block usage of camera by this website
      },
    },
  },
})

This change allows to fix an issue of passing several directives mentioned in #194

Changed the type of interval in rateLimiter

In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 'hour' | 60000
    }
  }
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 60000
    }
  }
})

This change was required to migrate to an updated rateLimiter that supports modern examples.

πŸ‘‰ Changelog compare changes

πŸš€ Enhancements

  • move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
  • improve rateLimiter with support for unstorage (#190)
  • remove console.logs after build (#128)
  • add an include option for basicAuth (#219)
  • option to disable hashing for SSG (#215)
  • support for CRSF in Serverless Environments

🩹 Fixes

  • useCsrf() is undefined (#203)
  • CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
  • upgrade-insecure-requests cannot be turned off for static build (#214)
  • invalid permission policy parser (#194)
  • remove broken test for nonce (#213)

πŸ“– Documentation

  • refactor docs to be easier (#135)
  • create faq section in docs from questions in Github issues (#192)
  • security composable to use in pages (#217)
  • Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (#218)
  • custom CSP merger (#198)
  • stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
  • update 3.rate-limiter.md fix comma (#204)
  • New section for Contributing
  • New section for Usage
  • Reorganised Navigation
  • Added global Search
  • New Homepage
  • New section for Headers
  • New section for utils
  • Embedded Playground
  • New page for Releases
  • Migrated to newest docus
  • New Preview Image

🏑 Chore

  • remove legacy approach for middlewares in types and module.ts file (#191)
  • bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
  • Reorganized project repository for easier maintenance
  • specify package manager (#225)
  • do not use default export for defu (#224)

πŸ€– CI

  • improved CI script for automatic unit tests for main, rc, and renovate branches

⚠️ Breaking Changes

  • Permissions Policy
  • Allowed Methods Restricter

❀️ Contributors

  • Nik (@n4an)
  • Daniel Roe (@danielroe)
  • Thomas Rijpstra (@trijpstra-fourlights)
  • Pooya Parsa (@pi0)
  • SΓ©bastien Chopin (@Atinux)
  • Mr. K V (@69u)
  • Jonas Thelemann (@dargmuesli)
  • LoΓ―s (@Applelo)
  • Max Druzhinin (@maxdzin)
  • Fabricio Carvalho (@fabricioOak)
  • nekotoriy (@nekotoriy)
  • vejja (@vejja)
  • Insomnius (@insomnius)
  • Boring Dragon (@boring-dragon)

πŸ‹οΈβ€β™‚οΈ New Contributors

v0.14.4

8 months ago

What's Changed

New Contributors

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.2...v0.14.4