Open myaaaapon opened 1 month ago
Hi @myaaaapon
You are right that we do not apply the same settings to HTML resources, JS/CSS files and backend routes. This is documented here : https://nuxt-security.vercel.app/documentation/advanced/security-headers Maybe the documentation is not clear enough. Let us know how if you have suggestions for reorganizing the docs.
The logic is basically the following :
JS/CSS files (and all other static files) are delivered differently whether you are using SSR (delivered by the Nuxt server) or SSG (delivered by your CDN or your custom static server). If you have difficulty understanding the headers of your JS/CSS files, let me know your server setup so that I can further guide you.
As far as the CORS handler is concerned, I’ll have a look at how we resolve the rules and let you know here Cheers
Hey @myaaaapon any feedback from your side? Is there anything we could do to improve the documenation? :)
Hi @vejja
Thank you for your detailed answer 😊
I had missed your advanced settings...
This gave me a good understanding of the difference between HTML and the headers of the rest of the file. It helped me a lot. Thank you.
If any policy on CORS Handler
has been decided on your end,
I would be grateful if you could share it with me.
Hi @Baroshem Maybe, like me, "The default header values for js/css files and files under /api are not set!" and someone might mistake this as a bug, I felt it would be easier to understand if there was a link or something in the 'default configuration' page. 🤔
I found an mistake in the documentation.
- type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'POST' | string;
# Perhaps the following is correct.
+ type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'PUT' | string;
Alternatively, since the default value for CORS Handler
is the following, I think the default value identical to the following might be fine.
What do you think?
# I think this is also good.
----
@vejja @Baroshem Finally, thank you for your very polite and prompt reply. I used to be in trouble, but you have helped me a lot 😊
@myaaaapon Thanks for the extensive research from your side!
Would you be interested in contributing to the project with the bugfixes you mentioned? I will be more than happy to help you :)
This handy module has saved me a lot of time on my security !! I always appreciate your developments 😊
I have three questions and suggestions.
1, Information on js/css default values in the documentation.
It seems that the header values are different for HTML and the rest of the files. I have spent a lot of time mistaking this for a bug...😢 I think it would be more helpful to mention this in the documentation.
Defaults ・Mentioned below. #434
2, Header settings under the backend and js/css header settings in the frontend are the same
By default, the header settings are the same as the front-end js/css files, even though the files are under the back-end /server/api. Sorry...I am not very familiar with this. but is this a security issue?
Mentioned below. #434
3, corsHandler settings are not applied. Is this a bug?
I want to set
Access-Control-Allow-Origin: http://localhost:3000
. Document CORS HandlerIf it is as follows, it is
not
applied.It will be applied if you do the following.
I would like default values for
methods
other thanorigin
,allowHeaders
and other items. In other words, how can I make onlyorigin
a unique setting? Or is this my mistake..?