@dansmaculotte/nuxt-security

@dansmaculotte/nuxt-security

Module for Nuxt.js 2 to configure security headers and more

Compatibility with Nuxt releases

This module as been developed for Nuxt 2. If you are looking for an equivalent compatible with Nuxt 3, please have a look to https://www.npmjs.com/package/nuxt-security.

Features

This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :

• Strict-Transport-Security header
• Content-Security-Policy header
• X-Frame-Options header
• X-Xss-Protection
• X-Content-Type-Options header
• Referrer-Policy header
• Permissions-Policy header (previously Feature-Policy)
• security.txt file generation

ToDo

• Sign security.txt with OpenPGP
• Headers as meta tags for SPA
• Public-Key-Pins

📖 Release Notes

Setup

1. Add @dansmaculotte/nuxt-security dependency to your project

yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security

1. Add @dansmaculotte/nuxt-security to the modules section of nuxt.config.js

{
  modules: [
    // Simple usage
    '@dansmaculotte/nuxt-security',

    // With options
    [
      '@dansmaculotte/nuxt-security',
      {
        /* module options */
      }
    ]
  ],

  // Top level options
  security: {}
}

Options

dev

• Default: process.env.SECURITY_DEV || false

Enable module in development mode

hsts

• Default: null

This option rely on helmet hsts package.

Example:

hsts: {
  maxAge: 15552000,
  includeSubDomains: true,
  preload: true
},

csp

• Default: null

This option rely on helmet csp package.

Example:

csp: {
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    objectSrc: ["'self'"],
  },
  reportOnly: false,
},

referrer

• Default: null

This option rely on helmet referrer policy package.

Example:

referrer: 'same-origin',

permissions

• Default: null

This option rely on permissions policy package.

Example:

permissions: {
  notifications: ['none']
},

Note: this come in replacement for feature option as Feature-Policy header is deprecated. Previous features option is still supported for now but displays a warning and use Permissions-Policy header instead.

securityFile

• Default: null

This option allows you to generate a security.txt described by securitytxt.org.

When generating for SPA applications, the file will appear in the dist/.well-known folder.

For universal applications, the file is accessible at this path: /.well-known/security.txt.

Example:

securityFile: {
  contacts: [
    'mailto:security@example.com',
    'https://example.com/security'
  ],
  // or contacts: 'mailto:security@example.com'
  canonical: 'https://example.com/.well-know/security.txt',
  preferredLanguages: ['fr', 'en'],
  // or preferredLanguages: 'fr',
  encryptions: ['https://example.com/pgp-key.txt'],
  // or encryptions: 'https://example.com/pgp-key.txt',
  acknowledgments: ['https://example.com/hall-of-fame.html'],
  // or acknowledgments: 'https://example.com/hall-of-fame.html',
  policies: ['https://example.com/policy.html'],
  // or policies: 'https://example.com/policy.html',
  hirings: ['https://example.com/jobs.html']
  // or hirings: 'https://example.com/jobs.html'
},

additionalHeaders

• Default: false

If true it adds additional headers :

• X-Frame-Options: SAMEORIGIN - documentation
• X-Xss-Protection: 1; mode=block - documentation
• X-Content-Type-Options: nosniff - documentation

Development

1. Clone this repository
2. Install dependencies using yarn install or npm install
3. Start development server using npm run dev

License

MIT License

Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr