Support for Security Headers for resources other than HTML

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware

https://nuxt-security.vercel.app/

MIT License

737 stars 56 forks source link

Support for Security Headers for resources other than HTML #434

Closed kryopix closed 3 weeks ago

kryopix commented 2 months ago

Hello,

I've noticed that all web security headers only appear in the HTML responses, but not in the Nuxt resources such as CSS, JS, etc. Public resources are also not considered by Nuxt-Security.

Security scanners are raising alarms because the necessary headers, such as X-Content-Type-Options: nosniff, are not set on the resources.

Currently, I've solved this issue with an additional proxy that sets these headers on all resources. However, I suspect this might be a bug in Nuxt-Security, but I'm not sure as I'm not very familiar with this area.

Is it intended that the security headers are only set in the HTML responses? Or is this a bug?

Thank you in advance for your help.

Best regards

vejja commented 2 months ago

We only apply Security Headers to HTML resources but I think you are right and it might be incorrect in this case.

@Baroshem what's your opinion there? Shall we apply some headers only to HTML resources (e.g. contentSecurityPolicy, crossOriginEmbedderPolicy, permissionsPolicy), and others to all resources (e.g. xContentTypeOptions, strictTransportSecurity) ?

Baroshem commented 2 months ago

Hey guys,

I think we could also apply it to other resources to satisfy security scanners. But at this moment I dont have an idea how to implement it so would need more time for that.

Also, I think we could convert it to feature request because NuxtSecurity works for HTML by design right now but we can extend it to support more cases :)

vejja commented 2 months ago

I think we could do it. We would need different hooks into render:response and beforeResponse. Let's start by finding out which headers would need to be applied to all resources, WDYT ?

@kryopix could you please send us the detailed output from your security scanner so that we understand better what we can improve ?

vejja commented 1 month ago

@Baroshem this one was more difficult than I anticipated, but now available through #441 Only a subset of headers are concerned:

referrerPolicy
strictTransportSecurity
xContentTypeOptions
xDownloadOptions
xFrameOptions
xPermittedCrossDomainPolicies
xXSSProtection

Makes no sense on CSP, Permissions and COEP/COOP I believe Comments welcome as always Cheers

Baroshem commented 1 month ago

Sounds good to me! Thanks for the research and work on it!