README
@dansmaculotte/nuxt-security
Module for Nuxt.js to configure security headers and more
Features
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
- Strict-Transport-Security header
- Content-Security-Policy header
- X-Frame-Options header
- X-Xss-Protection
- X-Content-Type-Options header
- Referrer-Policy header
- Permissions-Policy header (previously Feature-Policy)
- security.txt file generation
ToDo
- Sign security.txt with OpenPGP
- Headers as meta tags for SPA
- Public-Key-Pins
Setup
- Add
@dansmaculotte/nuxt-securitydependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
- Add
@dansmaculotte/nuxt-securityto themodulessection ofnuxt.config.js
{
modules: [
// Simple usage
'@dansmaculotte/nuxt-security',
// With options
[
'@dansmaculotte/nuxt-security',
{
/* module options */
}
]
],
// Top level options
security: {}
}
Options
dev
- Default:
process.env.SECURITY_DEV || false
Enable module in development mode
hsts
- Default:
null
This option rely on helmet hsts package.
Example:
hsts: {
maxAge: 15552000,
includeSubDomains: true,
preload: true
},
csp
- Default:
null
This option rely on helmet csp package.
Example:
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'self'"],
},
reportOnly: false,
},
referrer
- Default:
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
permissions
- Default:
null
This option rely on permissions policy package.
Example:
permissions: {
notifications: ['none']
},
Note: this come in replacement for feature option as Feature-Policy
header is deprecated.
Previous features option is still supported for now but displays a warning
and use Permissions-Policy header instead.
securityFile
- Default:
null
This option allows you to generate a security.txt described by securitytxt.org.
When generating for SPA applications, the file will appear in the dist/.well-known folder.
For universal applications, the file is accessible at this path: /.well-known/security.txt.
Example:
securityFile: {
contacts: [
'mailto:security@example.com',
'https://example.com/security'
],
// or contacts: 'mailto:security@example.com'
canonical: 'https://example.com/.well-know/security.txt',
preferredLanguages: ['fr', 'en'],
// or preferredLanguages: 'fr',
encryptions: ['https://example.com/pgp-key.txt'],
// or encryptions: 'https://example.com/pgp-key.txt',
acknowledgments: ['https://example.com/hall-of-fame.html'],
// or acknowledgments: 'https://example.com/hall-of-fame.html',
policies: ['https://example.com/policy.html'],
// or policies: 'https://example.com/policy.html',
hirings: ['https://example.com/jobs.html']
// or hirings: 'https://example.com/jobs.html'
},
additionalHeaders
- Default:
false
If true it adds additional headers :
X-Frame-Options: SAMEORIGIN- documentationX-Xss-Protection: 1; mode=block- documentationX-Content-Type-Options: nosniff- documentation
Development
- Clone this repository
- Install dependencies using
yarn installornpm install - Start development server using
npm run dev
License
Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr