I have noticed that this middleware doesn't cover files like Nuxt.js runtime/chunk files or static assets.
If this is being used in an admin panel for example, then some important data may be leaked.
In my opinion it should cover the whole application, not only the pages.
To reproduce:
Try viewing file like 127.0.0.1:3000/_nuxt/runtime.js or some static asset.
Here's how I fixed it myself:
Running this middleware using native Express instead of Nuxt middleware will make it run before anything else,
therefore protecting internal Nuxt files or static assets.
It can be done by chaning the way of creating middleware from:
this.addServerMiddleware(middleware)
to this:
this.nuxt.server.app.use(middleware)
(nuxt.server doesn't exist on build time, so it needs to be null checked)
Unfortunately I have no time to make a pull request.
If this is not an issue, then I believe it should be mentioned in the documentation that this middleware doesn't cover files like that.
Hello,
I have noticed that this middleware doesn't cover files like Nuxt.js runtime/chunk files or static assets. If this is being used in an admin panel for example, then some important data may be leaked. In my opinion it should cover the whole application, not only the pages.
To reproduce: Try viewing file like
127.0.0.1:3000/_nuxt/runtime.jsor some static asset.Here's how I fixed it myself: Running this middleware using native Express instead of Nuxt middleware will make it run before anything else, therefore protecting internal Nuxt files or static assets.
It can be done by chaning the way of creating middleware from:
this.addServerMiddleware(middleware)to this:this.nuxt.server.app.use(middleware)(nuxt.server doesn't exist on build time, so it needs to be null checked)Unfortunately I have no time to make a pull request.
If this is not an issue, then I believe it should be mentioned in the documentation that this middleware doesn't cover files like that.