search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
810 stars 56 forks source link

XSS validator per route #362

Closed mozhgan-k closed 8 months ago

mozhgan-k commented 8 months ago

Hi, I have an issue with disabling the XSS validator in a specific route. According to the documentation, if I want to disable it for a specific route, I should use the following configuration:

// Per Route
routeRules: {
  '/my-secret-route': {
    security: {
      xssValidator: {
        // options
      }
    }
  }
}

However, when I use it in my nuxt.config, it doesn't seem to work. I want to enable it globally and disable it for just one of my routes.

Here is my nuxt.config:

security: {
  headers: {
    xssValidator: {
      throwError: true
    },
  },
  routeRules: {
    '/myRoute': {
      security: {
        xssValidator: false
      }
    }
  },
}
Baroshem commented 8 months ago

Hey @mozhgan-k

In your config you have security.headers.rateLimiter which is not correct.

Headers object only applies to browser response headers such as Content Security Policy.

Rate limiter is nested inside security only:

security: {
    xssValidator: {
      throwError: true
  },
}

Also, routeRules are part of the Nuxt Config, not the Security object:

  routeRules: {
    '/myRoute': {
      security: {
        xssValidator: false
      }
    }
  }
mozhgan-k commented 8 months ago

It worked. thank you