README
@dansmaculotte/nuxt-security
Module for Nuxt.js to configure security headers and more
Features
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
- Strict-Transport-Security header
- Content-Security-Policy header
- X-Frame-Options header
- X-Xss-Protection
- X-Content-Type-Options header
- Referrer-Policy header
- Permissions-Policy header (previously Feature-Policy)
- security.txt file generation
ToDo
- Sign security.txt with OpenPGP
- Headers as meta tags for SPA
- Public-Key-Pins
Setup
- Add
@dansmaculotte/nuxt-security
dependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security
- Add
@dansmaculotte/nuxt-security
to themodules
section ofnuxt.config.js
{
modules: [
// Simple usage
'@dansmaculotte/nuxt-security',
// With options
[
'@dansmaculotte/nuxt-security',
{
/* module options */
}
]
],
// Top level options
security: {}
}
Options
dev
- Default:
process.env.SECURITY_DEV || false
Enable module in development mode
hsts
- Default:
null
This option rely on helmet hsts package.
Example:
hsts: {
maxAge: 15552000,
includeSubDomains: true,
preload: true
},
csp
- Default:
null
This option rely on helmet csp package.
Example:
csp: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
objectSrc: ["'self'"],
},
reportOnly: false,
},
referrer
- Default:
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
permissions
- Default:
null
This option rely on permissions policy package.
Example:
permissions: {
notifications: ['none']
},
Note: this come in replacement for feature
option as Feature-Policy
header is deprecated.
Previous features
option is still supported for now but displays a warning
and use Permissions-Policy header instead.
securityFile
- Default:
null
This option allows you to generate a security.txt
described by securitytxt.org.
When generating for SPA applications, the file will appear in the dist/.well-known
folder.
For universal applications, the file is accessible at this path: /.well-known/security.txt
.
Example:
securityFile: {
contacts: [
'mailto:security@example.com',
'https://example.com/security'
],
// or contacts: 'mailto:security@example.com'
canonical: 'https://example.com/.well-know/security.txt',
preferredLanguages: ['fr', 'en'],
// or preferredLanguages: 'fr',
encryptions: ['https://example.com/pgp-key.txt'],
// or encryptions: 'https://example.com/pgp-key.txt',
acknowledgments: ['https://example.com/hall-of-fame.html'],
// or acknowledgments: 'https://example.com/hall-of-fame.html',
policies: ['https://example.com/policy.html'],
// or policies: 'https://example.com/policy.html',
hirings: ['https://example.com/jobs.html']
// or hirings: 'https://example.com/jobs.html'
},
additionalHeaders
- Default:
false
If true
it adds additional headers :
X-Frame-Options: SAMEORIGIN
- documentationX-Xss-Protection: 1; mode=block
- documentationX-Content-Type-Options: nosniff
- documentation
Development
- Clone this repository
- Install dependencies using
yarn install
ornpm install
- Start development server using
npm run dev
License
Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr