Skip to content

Module for Nuxt.js to configure security headers and more

License

Notifications You must be signed in to change notification settings

dansmaculotte/nuxt-security

Repository files navigation

@dansmaculotte/nuxt-security

npm version npm downloads License

Module for Nuxt.js 2 to configure security headers and more

Compatibility with Nuxt releases

This module as been developed for Nuxt 2. If you are looking for an equivalent compatible with Nuxt 3, please have a look to https://www.npmjs.com/package/nuxt-security.

Features

This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :

  • Strict-Transport-Security header
  • Content-Security-Policy header
  • X-Frame-Options header
  • X-Xss-Protection
  • X-Content-Type-Options header
  • Referrer-Policy header
  • Permissions-Policy header (previously Feature-Policy)
  • security.txt file generation

ToDo

  • Sign security.txt with OpenPGP
  • Headers as meta tags for SPA
  • Public-Key-Pins

📖 Release Notes

Setup

  1. Add @dansmaculotte/nuxt-security dependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
  1. Add @dansmaculotte/nuxt-security to the modules section of nuxt.config.js
{
  modules: [
    // Simple usage
    '@dansmaculotte/nuxt-security',

    // With options
    [
      '@dansmaculotte/nuxt-security',
      {
        /* module options */
      }
    ]
  ],

  // Top level options
  security: {}
}

Options

dev

  • Default: process.env.SECURITY_DEV || false

Enable module in development mode

hsts

  • Default: null

This option rely on helmet hsts package.

Example:

hsts: {
  maxAge: 15552000,
  includeSubDomains: true,
  preload: true
},

csp

  • Default: null

This option rely on helmet csp package.

Example:

csp: {
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    objectSrc: ["'self'"],
  },
  reportOnly: false,
},

referrer

  • Default: null

This option rely on helmet referrer policy package.

Example:

referrer: 'same-origin',

permissions

  • Default: null

This option rely on permissions policy package.

Example:

permissions: {
  notifications: ['none']
},

Note: this come in replacement for feature option as Feature-Policy header is deprecated. Previous features option is still supported for now but displays a warning and use Permissions-Policy header instead.

securityFile

  • Default: null

This option allows you to generate a security.txt described by securitytxt.org.

When generating for SPA applications, the file will appear in the dist/.well-known folder.

For universal applications, the file is accessible at this path: /.well-known/security.txt.

Example:

securityFile: {
  contacts: [
    'mailto:[email protected]',
    'https://example.com/security'
  ],
  // or contacts: 'mailto:[email protected]'
  canonical: 'https://example.com/.well-know/security.txt',
  preferredLanguages: ['fr', 'en'],
  // or preferredLanguages: 'fr',
  encryptions: ['https://example.com/pgp-key.txt'],
  // or encryptions: 'https://example.com/pgp-key.txt',
  acknowledgments: ['https://example.com/hall-of-fame.html'],
  // or acknowledgments: 'https://example.com/hall-of-fame.html',
  policies: ['https://example.com/policy.html'],
  // or policies: 'https://example.com/policy.html',
  hirings: ['https://example.com/jobs.html']
  // or hirings: 'https://example.com/jobs.html'
},

additionalHeaders

  • Default: false

If true it adds additional headers :

Development

  1. Clone this repository
  2. Install dependencies using yarn install or npm install
  3. Start development server using npm run dev

License

MIT License

Copyright (c) Dans Ma Culotte [email protected]