Module for Nuxt.js to configure security headers and more
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
@dansmaculotte/nuxt-security dependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
@dansmaculotte/nuxt-security to the
modules section of
nuxt.config.js
{
modules: [
// Simple usage
'@dansmaculotte/nuxt-security',
// With options
[
'@dansmaculotte/nuxt-security',
{
/* module options */
}
]
],
// Top level options
security: {}
}
dev
process.env.SECURITY_DEV || false
Enable module in development mode
hsts
null
This option rely on helmet hsts package.
Example:
hsts: {
maxAge: 15552000,
includeSubDomains: true,
preload: true
},
csp
null
This option rely on helmet csp package.
Example:
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'self'"],
},
reportOnly: false,
},
referrer
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
permissions
null
This option rely on permissions policy package.
Example:
permissions: {
notifications: ['none']
},
Note: this come in replacement for
feature option as Feature-Policy
header is deprecated.
Previous
features option is still supported for now but displays a warning
and use Permissions-Policy header instead.
securityFile
null
This option allows you to generate a
security.txt described by securitytxt.org.
When generating for SPA applications, the file will appear in the
dist/.well-known folder.
For universal applications, the file is accessible at this path:
/.well-known/security.txt.
Example:
securityFile: {
contacts: [
'mailto:security@example.com',
'https://example.com/security'
],
// or contacts: 'mailto:security@example.com'
canonical: 'https://example.com/.well-know/security.txt',
preferredLanguages: ['fr', 'en'],
// or preferredLanguages: 'fr',
encryptions: ['https://example.com/pgp-key.txt'],
// or encryptions: 'https://example.com/pgp-key.txt',
acknowledgments: ['https://example.com/hall-of-fame.html'],
// or acknowledgments: 'https://example.com/hall-of-fame.html',
policies: ['https://example.com/policy.html'],
// or policies: 'https://example.com/policy.html',
hirings: ['https://example.com/jobs.html']
// or hirings: 'https://example.com/jobs.html'
},
additionalHeaders
false
If
true it adds additional headers :
X-Frame-Options: SAMEORIGIN - documentation
X-Xss-Protection: 1; mode=block - documentation
X-Content-Type-Options: nosniff - documentation
yarn install or
npm install
npm run dev
Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr