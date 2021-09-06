Module for Nuxt.js to configure security headers and more

Features

This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :

Strict-Transport-Security header

Content-Security-Policy header

X-Frame-Options header

X-Xss-Protection

X-Content-Type-Options header

Referrer-Policy header

Permissions-Policy header (previously Feature-Policy)

security.txt file generation

ToDo

Setup

Add @dansmaculotte/nuxt-security dependency to your project

yarn add @dansmaculotte/nuxt-security

Add @dansmaculotte/nuxt-security to the modules section of nuxt.config.js

{ modules : [ '@dansmaculotte/nuxt-security' , [ '@dansmaculotte/nuxt-security' , { } ] ], security : {} }

Options

dev

Default: process.env.SECURITY_DEV || false

Enable module in development mode

hsts

Default: null

This option rely on helmet hsts package.

Example:

hsts: { maxAge : 15552000 , includeSubDomains : true , preload : true },

csp

Default: null

This option rely on helmet csp package.

Example:

csp: { directives : { defaultSrc : [ "'self'" ], scriptSrc : [ "'self'" ], objectSrc : [ "'self'" ], }, reportOnly : false , },

referrer

Default: null

This option rely on helmet referrer policy package.

Example:

referrer: 'same-origin' ,

permissions

Default: null

This option rely on permissions policy package.

Example:

permissions: { notifications : [ 'none' ] },

Note: this come in replacement for feature option as Feature-Policy header is deprecated. Previous features option is still supported for now but displays a warning and use Permissions-Policy header instead.

securityFile

Default: null

This option allows you to generate a security.txt described by securitytxt.org.

When generating for SPA applications, the file will appear in the dist/.well-known folder.

For universal applications, the file is accessible at this path: /.well-known/security.txt .

Example:

securityFile: { contacts : [ 'mailto:security@example.com' , 'https://example.com/security' ], canonical : 'https://example.com/.well-know/security.txt' , preferredLanguages : [ 'fr' , 'en' ], encryptions : [ 'https://example.com/pgp-key.txt' ], acknowledgments : [ 'https://example.com/hall-of-fame.html' ], policies : [ 'https://example.com/policy.html' ], hirings : [ 'https://example.com/jobs.html' ] },

additionalHeaders

Default: false

If true it adds additional headers :

X-Frame-Options: SAMEORIGIN - documentation

- documentation X-Xss-Protection: 1; mode=block - documentation

- documentation X-Content-Type-Options: nosniff - documentation

Development

Clone this repository Install dependencies using yarn install or npm install Start development server using npm run dev

License

MIT License

Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr