Closed kryopix closed 3 weeks ago
We only apply Security Headers to HTML resources but I think you are right and it might be incorrect in this case.
@Baroshem what's your opinion there? Shall we apply some headers only to HTML resources (e.g. contentSecurityPolicy, crossOriginEmbedderPolicy, permissionsPolicy), and others to all resources (e.g. xContentTypeOptions, strictTransportSecurity) ?
Hey guys,
I think we could also apply it to other resources to satisfy security scanners. But at this moment I dont have an idea how to implement it so would need more time for that.
Also, I think we could convert it to feature request because NuxtSecurity works for HTML by design right now but we can extend it to support more cases :)
I think we could do it. We would need different hooks into render:response
and beforeResponse
.
Let's start by finding out which headers would need to be applied to all resources, WDYT ?
@kryopix could you please send us the detailed output from your security scanner so that we understand better what we can improve ?
@Baroshem this one was more difficult than I anticipated, but now available through #441 Only a subset of headers are concerned:
referrerPolicy
strictTransportSecurity
xContentTypeOptions
xDownloadOptions
xFrameOptions
xPermittedCrossDomainPolicies
xXSSProtection
Makes no sense on CSP, Permissions and COEP/COOP I believe Comments welcome as always Cheers
Sounds good to me! Thanks for the research and work on it!
Hello,
I've noticed that all web security headers only appear in the HTML responses, but not in the Nuxt resources such as CSS, JS, etc. Public resources are also not considered by Nuxt-Security.
Security scanners are raising alarms because the necessary headers, such as X-Content-Type-Options: nosniff, are not set on the resources.
Currently, I've solved this issue with an additional proxy that sets these headers on all resources. However, I suspect this might be a bug in Nuxt-Security, but I'm not sure as I'm not very familiar with this area.
Is it intended that the security headers are only set in the HTML responses? Or is this a bug?
Thank you in advance for your help.
Best regards