nuxt-security

nuxt-security

OWASP Top 10 module that adds a few security improvements in form of a customizable server middlewares to your Nuxt 3 application. All middlewares can be modified or disabled if needed. They can also be configured to work only on certain routes. By default all middlewares are configured to work globally.

Features

• Same Security headers set as by popular Express.js middleware helmet
• Request Size Limiter solving this
• Rate Limiter solving this
• Parameter Polution is handled by Nuxt automatically

Usage

yarn add nuxt-security # yarn
npm i nuxt-security # npm

// nuxt.config.js

{
  modules: [
    "nuxt-security",
  ],
}

The module will configure for you several response headers with the values recommended by Helmet as well as two custom middlewares for rate and request size limiting.

If you wish to modify them you can do so from the configuration:

export type RequestSizeLimiter = {
  maxRequestSizeInBytes: number;
  maxUploadFileRequestInBytes: number;
};

export type RateLimiter = {
  tokensPerInterval: number;
  interval: string | number;
  fireImmediately?: boolean;
};

export type MiddlewareConfiguration<MIDDLEWARE> = {
  value: MIDDLEWARE;
  route: string;
}

export type SecurityHeaders = {
  crossOriginResourcePolicy: MiddlewareConfiguration<string> | boolean;
  crossOriginOpenerPolicy: MiddlewareConfiguration<string> | boolean;
  crossOriginEmbedderPolicy: MiddlewareConfiguration<string> | boolean;
  contentSecurityPolicy: MiddlewareConfiguration<string> | boolean;
  originAgentCluster: MiddlewareConfiguration<string> | boolean;
  referrerPolicy: MiddlewareConfiguration<string> | boolean;
  strictTransportSecurity: MiddlewareConfiguration<string> | boolean;
  xContentTypeOptions: MiddlewareConfiguration<string> | boolean;
  xDNSPrefetchControl: MiddlewareConfiguration<string> | boolean;
  xDownloadOptions: MiddlewareConfiguration<string> | boolean;
  xFrameOptions: MiddlewareConfiguration<string> | boolean;
  xPermittedCrossDomainPolicies: MiddlewareConfiguration<string> | boolean;
  xXSSProtection: MiddlewareConfiguration<number> | boolean;
};

export interface ModuleOptions {
  headers: SecurityHeaders | boolean;
  requestSizeLimiter: MiddlewareConfiguration<RequestSizeLimiter> | boolean;
  rateLimiter: MiddlewareConfiguration<RateLimiter> | boolean;
}

The default values are as follows:

security: {
  headers: {
    crossOriginResourcePolicy: {
      value: "same-origin",
      route: '',,
    },
    crossOriginOpenerPolicy: {
      value: "same-origin",
      route: '',,
    },
    crossOriginEmbedderPolicy: {
      value: "require-corp",
      route: '',,
    },
    contentSecurityPolicy: {
      value:
        "base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
      route: '',,
    },
    originAgentCluster: {
      value: "?1",
      route: '',,
    },
    referrerPolicy: {
      value: "no-referrer",
      route: '',,
    },
    strictTransportSecurity: {
      value: "max-age=15552000; includeSubDomains",
      route: '',,
    },
    xContentTypeOptions: {
      value: "nosniff",
      route: '',,
    },
    xDNSPrefetchControl: {
      value: "off",
      route: '',,
    },
    xDownloadOptions: {
      value: "noopen",
      route: '',,
    },
    xFrameOptions: {
      value: "SAMEORIGIN",
      route: '',,
    },
    xPermittedCrossDomainPolicies: {
      value: "none",
      route: '',,
    },
    xXSSProtection: {
      value: 0,
      route: '',,
    },
  },
  requestSizeLimiter: {
    value: {
      maxRequestSizeInBytes: 2000000,
      maxUploadFileRequestInBytes: 8000000,
    },
    route: '',,
  },
  rateLimiter: {
    // Twitter search rate limiting
    value: {
      tokensPerInterval: 150,
      interval: "hour",
      fireImmediately: true,
    },
    route: '',,
  },
}

Development

• Run npm run dev:prepare to generate type stubs.
• Use npm run dev to start playground in development mode.