Nuxt Security Save
Module for Nuxt.js to configure security headers and more
@dansmaculotte/nuxt-security
Module for Nuxt.js 2 to configure security headers and more
Compatibility with Nuxt releases
This module as been developed for Nuxt 2. If you are looking for an equivalent compatible with Nuxt 3, please have a look to https://www.npmjs.com/package/nuxt-security.
Features
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
- Strict-Transport-Security header
- Content-Security-Policy header
- X-Frame-Options header
- X-Xss-Protection
- X-Content-Type-Options header
- Referrer-Policy header
- Permissions-Policy header (previously Feature-Policy)
- security.txt file generation
ToDo
- Sign security.txt with OpenPGP
- Headers as meta tags for SPA
- Public-Key-Pins
Setup
- Add
@dansmaculotte/nuxt-securitydependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
- Add
@dansmaculotte/nuxt-securityto themodulessection ofnuxt.config.js
{
modules: [
// Simple usage
'@dansmaculotte/nuxt-security',
// With options
[
'@dansmaculotte/nuxt-security',
{
/* module options */
}
]
],
// Top level options
security: {}
}
Options
dev
- Default:
process.env.SECURITY_DEV || false
Enable module in development mode
hsts
- Default:
null
This option rely on helmet hsts package.
Example:
hsts: {
maxAge: 15552000,
includeSubDomains: true,
preload: true
},
csp
- Default:
null
This option rely on helmet csp package.
Example:
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'self'"],
},
reportOnly: false,
},
referrer
- Default:
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
permissions
- Default:
null
This option rely on permissions policy package.
Example:
permissions: {
notifications: ['none']
},
Note: this come in replacement for feature option as Feature-Policy
header is deprecated.
Previous features option is still supported for now but displays a warning
and use Permissions-Policy header instead.
securityFile
- Default:
null
This option allows you to generate a security.txt described by securitytxt.org.
When generating for SPA applications, the file will appear in the dist/.well-known folder.
For universal applications, the file is accessible at this path: /.well-known/security.txt.
Example:
securityFile: {
contacts: [
'mailto:[email protected]',
'https://example.com/security'
],
// or contacts: 'mailto:[email protected]'
canonical: 'https://example.com/.well-know/security.txt',
preferredLanguages: ['fr', 'en'],
// or preferredLanguages: 'fr',
encryptions: ['https://example.com/pgp-key.txt'],
// or encryptions: 'https://example.com/pgp-key.txt',
acknowledgments: ['https://example.com/hall-of-fame.html'],
// or acknowledgments: 'https://example.com/hall-of-fame.html',
policies: ['https://example.com/policy.html'],
// or policies: 'https://example.com/policy.html',
hirings: ['https://example.com/jobs.html']
// or hirings: 'https://example.com/jobs.html'
},
additionalHeaders
- Default:
false
If true it adds additional headers :
-
X-Frame-Options: SAMEORIGIN- documentation -
X-Xss-Protection: 1; mode=block- documentation -
X-Content-Type-Options: nosniff- documentation
Development
- Clone this repository
- Install dependencies using
yarn installornpm install - Start development server using
npm run dev
License
Copyright (c) Dans Ma Culotte [email protected]
Open Source Agenda Badge
