Same module for Nitro

[MickL]

Is your feature request related to a problem? Please describe.

For Nitro there seems to be no module like nuxt-security. I wonder if nuxt-security can be "ported" as Nuxt is basically Nitro.

Btw. if you look into the Nitro docs you might think it doesnt support modules, but in fact it is just not documented: https://github.com/unjs/nitro/issues/1862

[Baroshem]

Hey there,

Thanks for creating this issue.

You are correct. There is no module like NuxtSecurity for Nitro (unless there is one that works differently).

@pi0 what are your thoughts on that?

But honestly, I wont be able to find a time to create and maintain another module. I am happy to provide guidance to someone who can create and maintain it but me myself wont be able to do it.

[MickL]

I feel like it is a general problem of Nitro that it basically has no modules and all exisiting Nuxt modules are not compatible out of the box.

A security module is urgently needed but I was thinking what if Nuxt releases an amazing Auth module for Nuxt? It will be not available for Nitro as well.

@pi0 Maybe a solution would be great where modules like security or auth are developed for Nitro instead of for Nuxt and then automatically work for both. I guess thats not possibly but brings me back to my request of bringing Nuxt backend api and ssr more apart https://github.com/nuxt/nuxt/issues/26103

[pi0]

Hi. Everything security related i expect to be directly discussed, developed and maintained within Nitro core only. A security feature for nitro is urgently needed only if there is a clear issue reported within it's context.

[MickL]

Wouldnt this make nuxt-security redundant then?

I dont see Nitro providing the same features like nuxt-security, e.g. rate limiter, request size limiter, xss validator, xss protection

[vejja]

Hi @MickL

My understanding is that Nuxt creates a hybrid application, while Nitro creates a server.

As far as Nuxt-Security is concerned, we mostly deal with application security. A good example is CSP: CSP is a set of rules that apply to the client-side and are enforced by the browser. Even though the rules are transmitted by the server, their purpose is to protect the end-user, not to protect the server.

In other words, Nuxt-Security aims at enforcing good security practices for the Nuxt application running in the browser, but does not aim at provide defense against badly-designed code or compromised libraries that could be running in the Nitro server.

Please note that I am using my own mental map of the difference between Nuxt and Nitro here, so I might be mistaken. I would even venture to say that in my opinion, it is very difficult to understand what is the real scope of Nuxt vs the real scope of Nitro, because the tasks are often shared, there are many runtime inter-dependencies that make the distinction very blurry, and to be honest the terminology can sometimes be quite confusing. Personal opinion here, and for the record I'm a Nuxt fanboy.

[pi0]

I hope the maintainers of this project don't take my message personally and that I'm just mentioning this because was mentioned in this discussion.

Yes, security depends on context. x-powred-by header is a feature of Nuxt actually!, and for features like CSP headers, we had them built-in since Nuxt 2, I just wish someone helped this to be sooner in the core.

Nitro provides the infrastructure for building secure web applications (for everyone). CSP support is relevant for Nitro but it has to be a built-in feature for it to be usable by higher order layers such as Nuxt.

If someone wants to collaborate on the Nitro side, discussions and issues are always the way to go and welcome.

[MickL]

I actually use most of nuxt-security to protect my api routes only, and all those things are missing for Nitro:

• Rate limiter: Prevent brute forcing login credentials
• Request size limiter: Prevent too huge file uploads
• XSS Validator: Whitelist what html tags can be party of the body

[Baroshem]

I agree with @vejja who is doing ana amazing work for the module. The reason we are doing all the work we do for the module is that we are huge fans of Nuxt framework.

I myself am a maintainer of at least four Nuxt modules and there is a reason for that :)

I understand that it could have been useful to have similiar feature for Nitro but I cannot work on it. But I am happy to help with feedback, sharing knowledge and others if someone would be interested in porting the module.

Thanks for all the input guys. I will close this issue as not planned.