Use both `routeRules` configs of `nuxt.config` for `contentSecurityPolicy`

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware

https://nuxt-security.vercel.app/

MIT License

739 stars 56 forks source link

Use both `routeRules` configs of `nuxt.config` for `contentSecurityPolicy` #402

Closed aerophobic closed 3 months ago

aerophobic commented 3 months ago

As of now the contentSecurityPolicy config is merged with routeRules defined under nitro in nuxt.config (https://nuxt.com/docs/api/nuxt-config#routerules):

https://github.com/Baroshem/nuxt-security/blob/13a96a6e36989a277cb046b379bb65a251e04afc/src/module.ts#L180

I guess this one could be extended to merge aswell the routeRules entry of nuxt.config (https://nuxt.com/docs/api/nuxt-config#routerules-1).

I can open a PR if this is something you want to consider.

great job with this fantastic module btw 🎉

vejja commented 3 months ago

~~Hi @aerophobic I may be mistaken but I think routeRules are only located under nitro. I don't think there is a routeRules entry in nuxt.config ?~~ Update: see below from @Baroshem

Baroshem commented 3 months ago

Hey there,

Thanks for creating this issue. I may not understand correctly, but you can currently do this -> https://github.com/Baroshem/nuxt-security/blob/13a96a6e36989a277cb046b379bb65a251e04afc/playground/nuxt.config.ts#L7

aerophobic commented 3 months ago

Hey @vejja @Baroshem I tried that, but it wasn't picked up. But when added as...

export default defineNuxtConfig({
  nitro: {
    routeRules: {
      // config
    }
  }
})

...it worked. So I looked into the source code and I couldn't see any reference of using nuxt.options.routeRules.

Just tested it again and it works fine as you said - as nuxt.options.routeRules being an alias of nuxt.options.nitro.routeRules it should definitely work of course.

So nevermind, I close this. And thanks again 🙏