This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :

Strict-Transport-Security header
Content-Security-Policy header
X-Frame-Options header
X-Xss-Protection
X-Content-Type-Options header
Referrer-Policy header
Permissions-Policy header (previously Feature-Policy)
security.txt file generation

ToDo

Sign security.txt with OpenPGP
Headers as meta tags for SPA
Public-Key-Pins

📖 Release Notes

Setup

Add @dansmaculotte/nuxt-security dependency to your project

yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security

Add @dansmaculotte/nuxt-security to the modules section of nuxt.config.js

{
  modules: [
    // Simple usage
    '@dansmaculotte/nuxt-security',

    // With options
    [
      '@dansmaculotte/nuxt-security',
      {
        /* module options */
      }
    ]
  ],

  // Top level options
  security: {}
}

Options

`dev`

Default: process.env.SECURITY_DEV || false

Enable module in development mode

`hsts`

Default: null

This option rely on helmet hsts package.

Example:

hsts: {
  maxAge: 15552000,
  includeSubDomains: true,
  preload: true
},

`csp`

Default: null

This option rely on helmet csp package.

Example:

csp: {
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    objectSrc: ["'self'"],
  },
  reportOnly: false,
},

`referrer`

Default: null

This option rely on helmet referrer policy package.

Example:

referrer: 'same-origin',

`permissions`

Default: null

This option rely on permissions policy package.

Example:

permissions: {
  notifications: ['none']
},

Note: this come in replacement for feature option as Feature-Policy header is deprecated. Previous features option is still supported for now but displays a warning and use Permissions-Policy header instead.

`securityFile`

Default: null

This option allows you to generate a security.txt described by securitytxt.org.

When generating for SPA applications, the file will appear in the dist/.well-known folder.

For universal applications, the file is accessible at this path: /.well-known/security.txt.

Example:

securityFile: {
  contacts: [
    'mailto:[email protected]',
    'https://example.com/security'
  ],
  // or contacts: 'mailto:[email protected]'
  canonical: 'https://example.com/.well-know/security.txt',
  preferredLanguages: ['fr', 'en'],
  // or preferredLanguages: 'fr',
  encryptions: ['https://example.com/pgp-key.txt'],
  // or encryptions: 'https://example.com/pgp-key.txt',
  acknowledgments: ['https://example.com/hall-of-fame.html'],
  // or acknowledgments: 'https://example.com/hall-of-fame.html',
  policies: ['https://example.com/policy.html'],
  // or policies: 'https://example.com/policy.html',
  hirings: ['https://example.com/jobs.html']
  // or hirings: 'https://example.com/jobs.html'
},

`additionalHeaders`

Default: false

If true it adds additional headers :

X-Frame-Options: SAMEORIGIN - documentation
X-Xss-Protection: 1; mode=block - documentation
X-Content-Type-Options: nosniff - documentation

Development

Clone this repository
Install dependencies using yarn install or npm install
Start development server using npm run dev

License

MIT License

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

dansmaculotte / nuxt-security

Programming Languages

Labels

Projects that are alternatives of or similar to nuxt-security

@dansmaculotte/nuxt-security

Features

ToDo

Setup

Options

`dev`

`hsts`

`csp`

`referrer`

`permissions`

`securityFile`

`additionalHeaders`

Development

License