Closed vejja closed 1 month ago
vercel[bot]
commented
1 month ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| nuxt-security | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 8, 2024 0:12am |
Baroshem
commented
1 month ago Hi @vejja
Thanks for this amazing PR!
I needed to first release your other PR with SRI fix and it caused the conflicts in this PR. Could you please rebase it? :)
Also, regarding the release of this feature, I would aim for 1.5.0 next week probably if that is ok with you? :)
I will also review it in the upcoming days to give you some feedback.
vejja
commented
1 month ago Hi @vejja
Thanks for this amazing PR!
I needed to first release your other PR with SRI fix and it caused the conflicts in this PR. Could you please rebase it? :)
Also, regarding the release of this feature, I would aim for 1.5.0 next week probably if that is ok with you? :)
I will also review it in the upcoming days to give you some feedback.
1.5.0 sounds good By the way, I'm also adding a hook for further customization when Nitro presets are not available or when the user wants to create the configuration file himself. Will update docs and rebase
vejja
commented
1 month ago I'm also closing #434 with this PR Will update description and notes
vejja
commented
1 month ago @Baroshem
As a side technical note, I am also fixing the issue that popped up with #438 when we released 1.4.0, where we had to duplicate some utils in different folders because runtime code could not access files in the src folder.
I am adding a build.config.ts file that tells unjs/unbuild to make the utils code available at the root.
This allows to put all common code in utils, no duplication required anymore !
Baroshem
commented
1 month ago Amazing work @vejja !
I will merge it to the 2.0.0-rc.1 branch where we can do some additional testing and prepare a big release soon :)
Types of changes
Description
With this PR, security headers
Previously, when a route was pre-rendered via
routeRules, the Nuxt application could not deliver the Security Headers. This is because the HTML page is served directly as a pre-built static asset, and we could not intercept the headers in that case to modify them.This PR proposes a modification of the core engine of Nuxt Security, whereby we now record all pre-rendered pages at build time, and then intercept all requests to verify whether they correspond to a pre-rendered page.
As a consequence of this core upgrade, we now deliver five additional features:
metatag. This addresses the issue where some security scanners are complaining about CSP compliance because they do not check themetatag.metatag, but now all other policies (e.g. COEP, STS, etc...) can also be delivered via headers for pre-rendered pages in Hybrid Mode.cspSsgPresetsfeature, which had to be deactivated after the upgrade to Nuxt 3.9.3 caused issue #348. With this feature, we now generate aheaders.jsonfile that is used by Nitro in static presets. For instance, a static website deployed on Vercel or Netlify now has security headers natively on all pages, even without a server runtime !nuxt-security:prerenderedHeadersbuild-time hook, which allows to further extend the previous feature when there is no Nitro preset available. This hook can be used to manually generate a headers configuration file for any custom static deployment..jsor.cssfiles, api requests, etc. The following headers are now delivered on all resources:referrerPolicy,strictTransportSecurity,xContentTypeOptions,xDownloadOptions,xFrameOptions,xPermittedCrossDomainPolicies, andxXSSProtection.Please note that :
ssg: nitroHeadersoption (defaulttrue). This option is modifiable both globally and at route-level.ssg: exportToPresetsoption (defaulttrue). This option is only available globally.Closes #386 Closes #409 Closes #434
Checklist: