search

nuxt-modules / security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
829 stars 60 forks source link

Customizing Errors in Nuxt Security Configuration #537

Closed tahirmahmudzade closed 1 month ago

tahirmahmudzade commented 1 month ago

I’m using the Nuxt Security module and would like to know if it’s possible to customize the error responses for different security configurations. For example, in the configuration below:

// nuxt.config.ts
export default defineNuxtConfig({
  modules: [
    'nuxt-security',
    // other modules
  ],

  security: {
    requestSizeLimiter: {
      maxRequestSizeInBytes: 2000000,
      maxUploadFileRequestInBytes: 12000000,
      throwError: true,
    },
    headers: {
      crossOriginEmbedderPolicy: 'unsafe-none',
      contentSecurityPolicy: {
        'img-src': ["'self'", 'data:', 'blob:'],
        'script-src': ["'self'", 'https:', "'strict-dynamic'", "'nonce-{{nonce}}'"],
      },
      xXSSProtection: '1; mode=block',
    },
  },
  nitro: {
    routeRules: {
      '/api/auth/reset-password': { 
        security: { 
          rateLimiter: { 
            tokensPerInterval: 6, 
            interval: 60000, 
            throwError: true 
          } 
        } 
      },
      '/api/auth/login': { 
        security: { 
          rateLimiter: { 
            tokensPerInterval: 6, 
            interval: 60000, 
            throwError: true 
          } 
        } 
      },
    },
  },
});

I noticed that I can use the throwError property for rate limiting, request size limiting, etc., to trigger errors when these limits are reached. Is there a way to customize the error message or response sent to the client when these security measures are enforced?

Baroshem commented 1 month ago

Hey there!

Good question, if you set throwError to false, then instead of throwing the error by the middleware it will just return a json object with the error that you could catch and handle in your own desired way.

Would that solve it?

Baroshem commented 1 month ago

Unpess you are asking about adding custom errors for security headers or cors/csrf then these are not possible as we are using underlying packages/modules for that

tahirmahmudzade commented 1 month ago

Unpess you are asking about adding custom errors for security headers or cors/csrf then these are not possible as we are using underlying packages/modules for that

hey sorry i've been busy and completely missed your reply, and thanks a lot, you solved my problem. closing this issue.