Module for Nuxt.js to configure security headers and more
Module for Nuxt.js 2 to configure security headers and more
This module as been developed for Nuxt 2. If you are looking for an equivalent compatible with Nuxt 3, please have a look to https://www.npmjs.com/package/nuxt-security.
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
@dansmaculotte/nuxt-security
dependency to your projectyarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
@dansmaculotte/nuxt-security
to the modules
section of nuxt.config.js
{
modules: [
// Simple usage
'@dansmaculotte/nuxt-security',
// With options
[
'@dansmaculotte/nuxt-security',
{
/* module options */
}
]
],
// Top level options
security: {}
}
dev
process.env.SECURITY_DEV || false
Enable module in development mode
hsts
null
This option rely on helmet hsts package.
Example:
hsts: {
maxAge: 15552000,
includeSubDomains: true,
preload: true
},
csp
null
This option rely on helmet csp package.
Example:
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'self'"],
},
reportOnly: false,
},
referrer
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
permissions
null
This option rely on permissions policy package.
Example:
permissions: {
notifications: ['none']
},
Note: this come in replacement for feature
option as Feature-Policy
header is deprecated.
Previous features
option is still supported for now but displays a warning
and use Permissions-Policy header instead.
securityFile
null
This option allows you to generate a security.txt
described by securitytxt.org.
When generating for SPA applications, the file will appear in the dist/.well-known
folder.
For universal applications, the file is accessible at this path: /.well-known/security.txt
.
Example:
securityFile: {
contacts: [
'mailto:[email protected]',
'https://example.com/security'
],
// or contacts: 'mailto:[email protected]'
canonical: 'https://example.com/.well-know/security.txt',
preferredLanguages: ['fr', 'en'],
// or preferredLanguages: 'fr',
encryptions: ['https://example.com/pgp-key.txt'],
// or encryptions: 'https://example.com/pgp-key.txt',
acknowledgments: ['https://example.com/hall-of-fame.html'],
// or acknowledgments: 'https://example.com/hall-of-fame.html',
policies: ['https://example.com/policy.html'],
// or policies: 'https://example.com/policy.html',
hirings: ['https://example.com/jobs.html']
// or hirings: 'https://example.com/jobs.html'
},
additionalHeaders
false
If true
it adds additional headers :
X-Frame-Options: SAMEORIGIN
- documentation
X-Xss-Protection: 1; mode=block
- documentation
X-Content-Type-Options: nosniff
- documentation
yarn install
or npm install
npm run dev
Copyright (c) Dans Ma Culotte [email protected]