Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dansmaculotte/nuxt-security

Module for Nuxt.js to configure security headers and more
https://github.com/dansmaculotte/nuxt-security

content-security-policy csp feature-policy hsts nuxt nuxt-module referrer-policy security-txt strict-transport-security

Last synced: 20 days ago
JSON representation

Module for Nuxt.js to configure security headers and more

Awesome Lists containing this project

README 

        
**IMPORTANT**: I will not support this module anymore.



@dansmaculotte/nuxt-security



[![npm version][npm-version-src]][npm-version-href]

[![npm downloads][npm-downloads-src]][npm-downloads-href]

[![License][license-src]][license-href]



> Module for Nuxt.js 2  to configure security headers and more



## Compatibility with Nuxt releases



This module as been developed for Nuxt 2. If you are looking for an equivalent

compatible with Nuxt 3, please have a look to

[https://www.npmjs.com/package/nuxt-security](https://www.npmjs.com/package/nuxt-security).



## Features



This module allows you to configure various security headers such as CSP, HSTS or even generate security.txt file.

Here is a list of availables features :



- Strict-Transport-Security header

- Content-Security-Policy header

- X-Frame-Options header

- X-Xss-Protection

- X-Content-Type-Options header

- Referrer-Policy header

- Permissions-Policy header (previously Feature-Policy)

- security.txt file generation



### ToDo



- [ ] Sign security.txt with OpenPGP

- [ ] Headers as meta tags for SPA

- [ ] Public-Key-Pins



[📖 **Release Notes**](./CHANGELOG.md)



## Setup



1. Add `@dansmaculotte/nuxt-security` dependency to your project



```bash

yarn add @dansmaculotte/nuxt-security # or npm install @dansmaculotte/nuxt-security

```



2. Add `@dansmaculotte/nuxt-security` to the `modules` section of `nuxt.config.js`



```js

{

  modules: [

    // Simple usage

    '@dansmaculotte/nuxt-security',



    // With options

    [

      '@dansmaculotte/nuxt-security',

      {

        /* module options */

      }

    ]

  ],



  // Top level options

  security: {}

}

```



## Options



### `dev`



- Default: `process.env.SECURITY_DEV || false`



Enable module in development mode



### `hsts`



- Default: `null`



This option rely on [helmet hsts](https://helmetjs.github.io/docs/hsts/) package.



Example:



```js

hsts: {

  maxAge: 15552000,

  includeSubDomains: true,

  preload: true

},

```



### `csp`



- Default: `null`



This option rely on [helmet csp](https://helmetjs.github.io/docs/csp/) package.



Example:



```js

csp: {

  directives: {

    defaultSrc: ["'self'"],

    scriptSrc: ["'self'"],

    objectSrc: ["'self'"],

  },

  reportOnly: false,

},

```



### `referrer`



- Default: `null`



This option rely on [helmet referrer policy](https://helmetjs.github.io/docs/referrer-policy/) package.



Example:



```js

referrer: 'same-origin',

```



### `permissions`



- Default: `null`



This option rely on [permissions policy](https://github.com/pedro-gbf/permissions-policy) package.



Example:



```js

permissions: {

  notifications: ['none']

},

```



**Note:** this come in replacement for `feature` option as Feature-Policy

header [is deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).

Previous `features` option is still supported for now but displays a warning

and use Permissions-Policy header instead.



### `securityFile`



- Default: `null`



This option allows you to generate a `security.txt` described by [securitytxt.org](https://securitytxt.org/).



When generating for SPA applications, the file will appear in the `dist/.well-known` folder.



For universal applications, the file is accessible at this path: `/.well-known/security.txt`.



Example:



```js

securityFile: {

  contacts: [

    'mailto:[email protected]',

    'https://example.com/security'

  ],

  // or contacts: 'mailto:[email protected]'

  canonical: 'https://example.com/.well-know/security.txt',

  preferredLanguages: ['fr', 'en'],

  // or preferredLanguages: 'fr',

  encryptions: ['https://example.com/pgp-key.txt'],

  // or encryptions: 'https://example.com/pgp-key.txt',

  acknowledgments: ['https://example.com/hall-of-fame.html'],

  // or acknowledgments: 'https://example.com/hall-of-fame.html',

  policies: ['https://example.com/policy.html'],

  // or policies: 'https://example.com/policy.html',

  hirings: ['https://example.com/jobs.html']

  // or hirings: 'https://example.com/jobs.html'

},

```



### `additionalHeaders`



- Default: `false`



If `true` it adds additional headers :



- `X-Frame-Options: SAMEORIGIN` - [documentation](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options)

- `X-Xss-Protection: 1; mode=block` - [documentation](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection)

- `X-Content-Type-Options: nosniff` - [documentation](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options)



## Development



1. Clone this repository

2. Install dependencies using `yarn install` or `npm install`

3. Start development server using `npm run dev`



## License



[MIT License](./LICENSE.md)



Copyright (c) Dans Ma Culotte 



[npm-version-src]: https://img.shields.io/npm/v/@dansmaculotte/nuxt-security/latest.svg?style=flat-square

[npm-version-href]: https://npmjs.com/package/@dansmaculotte/nuxt-security

[npm-downloads-src]: https://img.shields.io/npm/dt/@dansmaculotte/nuxt-security.svg?style=flat-square

[npm-downloads-href]: https://npmjs.com/package/@dansmaculotte/nuxt-security

[license-src]: https://img.shields.io/npm/l/@dansmaculotte/nuxt-security.svg?style=flat-square

[license-href]: https://npmjs.com/package/@dansmaculotte/nuxt-security