Module for Nuxt.js 2 to configure security headers and more
This module as been developed for Nuxt 2. If you are looking for an equivalent compatible with Nuxt 3, please have a look to https://www.npmjs.com/package/nuxt-security.
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
- Strict-Transport-Security header
- Content-Security-Policy header
- X-Frame-Options header
- X-Xss-Protection
- X-Content-Type-Options header
- Referrer-Policy header
- Permissions-Policy header (previously Feature-Policy)
- security.txt file generation
- Sign security.txt with OpenPGP
- Headers as meta tags for SPA
- Public-Key-Pins
- Add
@dansmaculotte/nuxt-security
dependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
- Add
@dansmaculotte/nuxt-security
to themodules
section ofnuxt.config.js
{
modules: [
// Simple usage
'@dansmaculotte/nuxt-security',
// With options
[
'@dansmaculotte/nuxt-security',
{
/* module options */
}
]
],
// Top level options
security: {}
}
- Default:
process.env.SECURITY_DEV || false
Enable module in development mode
- Default:
null
This option rely on helmet hsts package.
Example:
hsts: {
maxAge: 15552000,
includeSubDomains: true,
preload: true
},
- Default:
null
This option rely on helmet csp package.
Example:
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'self'"],
},
reportOnly: false,
},
- Default:
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
- Default:
null
This option rely on permissions policy package.
Example:
permissions: {
notifications: ['none']
},
Note: this come in replacement for feature
option as Feature-Policy
header is deprecated.
Previous features
option is still supported for now but displays a warning
and use Permissions-Policy header instead.
- Default:
null
This option allows you to generate a security.txt
described by securitytxt.org.
When generating for SPA applications, the file will appear in the dist/.well-known
folder.
For universal applications, the file is accessible at this path: /.well-known/security.txt
.
Example:
securityFile: {
contacts: [
'mailto:security@example.com',
'https://example.com/security'
],
// or contacts: 'mailto:security@example.com'
canonical: 'https://example.com/.well-know/security.txt',
preferredLanguages: ['fr', 'en'],
// or preferredLanguages: 'fr',
encryptions: ['https://example.com/pgp-key.txt'],
// or encryptions: 'https://example.com/pgp-key.txt',
acknowledgments: ['https://example.com/hall-of-fame.html'],
// or acknowledgments: 'https://example.com/hall-of-fame.html',
policies: ['https://example.com/policy.html'],
// or policies: 'https://example.com/policy.html',
hirings: ['https://example.com/jobs.html']
// or hirings: 'https://example.com/jobs.html'
},
- Default:
false
If true
it adds additional headers :
X-Frame-Options: SAMEORIGIN
- documentationX-Xss-Protection: 1; mode=block
- documentationX-Content-Type-Options: nosniff
- documentation
- Clone this repository
- Install dependencies using
yarn install
ornpm install
- Start development server using
npm run dev
Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr