IMPORTANT: I will not support this module anymore.
@dansmaculotte/nuxt-security
npm version npm downloads License
Module for Nuxt.js 2 to configure security headers and more
This module as been developed for Nuxt 2. If you are looking for an equivalent compatible with Nuxt 3, please have a look to https://www.npmjs.com/package/nuxt-security.
This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file. Here is a list of availables features :
- Strict-Transport-Security header
- Content-Security-Policy header
- X-Frame-Options header
- X-Xss-Protection
- X-Content-Type-Options header
- Referrer-Policy header
- Permissions-Policy header (previously Feature-Policy)
- security.txt file generation
- Sign security.txt with OpenPGP
- Headers as meta tags for SPA
- Public-Key-Pins
- Add
@dansmaculotte/nuxt-securitydependency to your project
yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security- Add
@dansmaculotte/nuxt-securityto themodulessection ofnuxt.config.js
{ modules: [ // Simple usage '@dansmaculotte/nuxt-security', // With options [ '@dansmaculotte/nuxt-security', { /* module options */ } ] ], // Top level options security: {} }
- Default:
process.env.SECURITY_DEV || false
Enable module in development mode
- Default:
null
This option rely on helmet hsts package.
Example:
hsts: { maxAge: 15552000, includeSubDomains: true, preload: true },
- Default:
null
This option rely on helmet csp package.
Example:
csp: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'"], objectSrc: ["'self'"], }, reportOnly: false, },
- Default:
null
This option rely on helmet referrer policy package.
Example:
referrer: 'same-origin',
- Default:
null
This option rely on permissions policy package.
Example:
permissions: { notifications: ['none'] },
Note: this come in replacement for feature option as Feature-Policy
header is deprecated.
Previous features option is still supported for now but displays a warning
and use Permissions-Policy header instead.
- Default:
null
This option allows you to generate a security.txt described by securitytxt.org.
When generating for SPA applications, the file will appear in the dist/.well-known folder.
For universal applications, the file is accessible at this path: /.well-known/security.txt.
Example:
securityFile: { contacts: [ 'mailto:security@example.com', 'https://example.com/security' ], // or contacts: 'mailto:security@example.com' canonical: 'https://example.com/.well-know/security.txt', preferredLanguages: ['fr', 'en'], // or preferredLanguages: 'fr', encryptions: ['https://example.com/pgp-key.txt'], // or encryptions: 'https://example.com/pgp-key.txt', acknowledgments: ['https://example.com/hall-of-fame.html'], // or acknowledgments: 'https://example.com/hall-of-fame.html', policies: ['https://example.com/policy.html'], // or policies: 'https://example.com/policy.html', hirings: ['https://example.com/jobs.html'] // or hirings: 'https://example.com/jobs.html' },
- Default:
false
If true it adds additional headers :
X-Frame-Options: SAMEORIGIN- documentationX-Xss-Protection: 1; mode=block- documentationX-Content-Type-Options: nosniff- documentation
- Clone this repository
- Install dependencies using
yarn installornpm install - Start development server using
npm run dev
Copyright (c) Dans Ma Culotte tech@dansmaculotte.fr