Releases

Pre-releasev2.0.0-rc.7

Published on Mon Jun 24 2024

Support for #478

This new version updates the regular expressions in the 30-cspSsgHashes.ts file. The previous regular expression was not correctly capturing the content of inline script and style tags in all scenarios.

The old regular expression for inline scripts:

const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="\w:.-\/+")^>>(.*?)</script>/gi The updated regular expression:

const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="\w:.-\/+")^>>(\s\S?)</script>/gi; The change from (.?) to (\s\S*?) ensures that the regular expression matches any character, including newlines, between the tags. This change improves the accuracy of inline script content capture, ensuring that our CSP security hashes are correctly generated for all inline scripts.

What's Changed

add per route csrf to docs by @moshetanzer in #471
fix(csp): inline script/style have whitespace character by @hlhc in #478

New Contributors

@moshetanzer made their first contribution in #471
@hlhc made their first contribution in #478

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.6...v2.0.0-rc.7

Pre-releasev2.0.0-rc.6

Published on Fri May 31 2024

🩹 Fixes

Remove Experimental Permission-Policy values from default OWASP values. This clears error warnings in Chrome

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.5...v2.0.0-rc.6

Pre-releasev2.0.0-rc.5

Published on Fri May 31 2024

Improved Security Score 🥇

We apply the Mozilla recommendations for CSP defaults

deny by default with default-src 'none'
allow on a directive-by-directive basis

Our Mozilla Score is now 120/100 Screenshot 2024-05-31 at 13 37 40

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.4...v2.0.0-rc.5

Pre-releasev2.0.0-rc.4

Published on Fri May 31 2024

🩹 Fixes

Add default value for connect-src CSP directive. Update documentation for new OWASP defaults

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.3...v2.0.0-rc.4

Pre-releasev2.0.0-rc.3

Published on Thu May 30 2024

🩹 Fixes

Set CSP default-src to OWASP recommended value

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.2...v2.0.0-rc.3

Pre-releasev2.0.0-rc.2

Published on Thu May 30 2024

🩹 Fixes

Fixes build failure due to misconfigured rollup step

What's Changed

Chore/2.0.0 rc.1 by @Baroshem in #448
Update package version by @vejja in #461

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.1...v2.0.0-rc.2

Pre-releasev2.0.0-rc.1

Published on Thu May 30 2024

2.0.0-rc.1 🎉

This is a release candidate for the upcoming v2 of Nuxt Security.

A+ Score by default

Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com Our documentation page is deployed with Nuxt-Security and is tested on these two scanners: 329857551-f181edcd-7059-4399-9af0-26c83a9dc48e 329857562-d28f9b97-de64-49d8-9969-eef2692e6dd1

Performance optimization

We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio. Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.

Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine 💚

All Nuxt modes

Security headers are now deployed in all Nuxt rendering modes:

Universal
Client-only
Hybrid

See #441 for details.

OWASP compliance

We are updating our default security settings to conform with the latest OWASP default values for headers. Users benefit from these updating settings out of the box, with no changes required.

See #450 for details.

Full static support

We are significantly improving application security for static websites:

If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new prerenderedHeaders build-time hook that exposes all security headers for complete control of your server's headers.

Other features

We now conform to the HTML5 standard when inserting the CSP http-equip meta tag.
We now support all unstorage drivers options for the RateLimiter. Users can fully use any supported driver (Redis, Vercel KV, etc.)

👉 Changelog compare changes

❤️ Contributors

@GalacticHypernova

What's Changed

feat(core): use virtual file system for SRI by @vejja in #435
feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
feat(docs): add security to docs by @vejja in #451
perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
fix(csp): ensure charset meta at top of head by @vejja in #449
fix(docs): update FAQ section on --host mode by @vejja in #456
feat(core) : owasp default values by @vejja in #450
fix(core): spread storage options by @vejja in #452
fix: remove navigate-to csp directive by @GalacticHypernova in #457
fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458

Releasev1.4.0

Published on Fri Apr 26 2024

1.4.0 🎉

This version is a significant rewrite of the core engine of Nuxt Security, motivated primarily by the introduction of runtime hooks in PR #298 by @huang-julien and comments thereon by @harlan-zw.

Huge kudos to @vejja for delivering this great functionality 💚

Full Route-Level Compatibility

This great addition by Sebastien is well detailed here #429 but as short summary can be seen below.

New features

All security options can now be modified via runtime hooks It is now possible to modify any of the Nuxt Security options, and not solely the headers : any other option such as hidePoweredBy, rateLimiter, is now taken into consideration and applied at route level.
Route rules are now consistently merged The router merging strategy is now the same irrespective of the way the security options are set (inline, global, routeRules, and runtime hooks). Previously, it was a mix of defu, defuReplaceArray, and plain overwriting - leading to confusion on how nested rules would apply (see #430 for instance). We now apply the defuReplaceArray strategy across the board.
Clear scoping of security headers to HTML pages, SWR support We now make a clearer distinction between the scope of Nitro plugins (modifying HTML pages and their headers) and the scope of Server middlewares (functions that apply to all routes). This avoids to overwrite headers of non-HTML assets with irrelevant options, and as a result we are able to support SWR natively.
Route-level support of RateLimiter Thanks to the ability to resolveSecurityRoutes at runtime, we are now able to support route-based definitions for the Rate Limiter. This solves the issue of getting 429 denials for routes where we want to have a higher rate limit. We also take this opportunity to solve the issue of getting 429s when pre-rendering.

New runtime hook

This PR introduces a new runtime hook : nuxt-security:routeRules, that allows to modify any security rule on any route. With this hook, the user is now able to apply any strategy for the rule (merge, overwrite, append, etc.).

nitroApp.hooks.hook('nuxt-security:routeRules', async routeRules => {
  // any kind of modification of routeRules here, such as :
  routeRules['/my-route'] = ...
 })

The former nuxt-security:ready & nuxt-security:headers hooks are still supported but we are soft-depecrating them by removing them from the documentation.

Additional notes

This version also soft-deprecates the substitution merging via string syntax feature. This is now rendered unnecessary because the defuReplaceArray strategy is applied consistently everywhere.

We are removing corresponding mentions in the documentation, which were confusing (it only applied to headers, and it only applied in the router merging step but not in the definition step). The feature still exists to maintain backwards compatibility.

Please note that some security options can only be applied globally (removeLoggers, csrf and basicAuth) because they depend on third-party modules. The TypeScript definitions have been updated to remove these 3 options from the properties that can be set at route-level.

🗞️ Next steps

We are planning a new release soon with the Nuxt DevTools Tab support 🚀

👉 Changelog compare changes

❤️ Contributors

@vejja
@Jesse1989pp made their first contribution
@Dominic-Marcelino made their first contribution
@snepsnepy made their first contribution

What's Changed

Vejja/issue413 by @vejja in #414
update(doc): recommend useScript for Nuxt 3.11+ by @vejja in #403
chore: bump unplugin-remove to fix sourcemap warnings by @Jesse1989pp in #420
Update 1.csp.md - FIX comparison in docs by @Dominic-Marcelino in #424
Fixed small typo found in the documentation by @snepsnepy in #431
feat(core): unified router context by @vejja in #429
Closes #269 : Rate Limiter is now disabled when building with SSG
Closes #281 : Rate Limiter now records requests at the route level
Closes #300: All security options are now configurable via the new runtime hook
Closes #385 : All security options are now resolved with the same merging strategy
Closes #392 : Rate Limiter now supports any endpoint, including /api routes
Closes #428 : SWR is now natively supported
Closes #430 : There is no need to use string syntax anymore to overwrite higher-level rules
Closes #432 : The function insertNonceInCsp now correctly handles boolean value for CSP directives

Releasev1.3.0

Published on Wed Apr 03 2024

1.3.0 🎉

This version brings several bugfixes and small new features.

Kudos to all contributors! 💚

🗞️ Next steps

We are already planning a release 1.3.0 that will include support for rate limiter global and per route as well as protecting api 🚀

👉 Changelog compare changes

🚀 Enhancements

fetch buffers from storage and convert to object
enhance FormData with XSS validation feature

🩹 Fixes

remove frame-ancestors from meta
generate meta tag without html,head,body tags
do not decode entities in HTML
opt in to import.meta.* properties
set nonce in response headers instead of using configuration

📖 Documentation

use new nuxi module add command in installation

🏡 Chore

🤖 CI

❤️ Contributors

@vejja
@huang-julien
@Ray0907 made their first contribution
@danielroe
@mtdvlpr

What's Changed

fix(ssg): remove frame-ancestors from meta by @vejja in #388
fix(ssg): generate meta tag without html,head,body tags by @mtdvlpr in #387
fix(core): do not decode entities in HTML by @vejja in #394
sri: fetch buffers from storage and convert to object by @vejja in #396
Enhance FormData with XSS validation feature. by @Ray0907 in #401
fix: opt in to import.meta.* properties by @danielroe in #406
fix: set nonce in response headers instead of using configuration by @huang-julien in #408
docs: use new nuxi module add command in installation by @danielroe in #410
Chore/1.3.0 by @Baroshem in #399

Releasev1.2.0

Published on Thu Feb 22 2024

1.2.0 🎉

This version brings several bugfixes and small new features mostly related to XSS Validator.

Kudos to all contributors! 💚

🗞️ Next steps

We are already planning a release 1.3.0 that will include support for DevTools 🚀

👉 Changelog compare changes

🚀 Enhancements

add escapeHtml option to XssValidator
allow users to configure methods for XSSValidator
disable meta tag for SSG mode

🩹 Fixes

add explicit imports for setHeader and removeResponseHeader in 00-context.ts
move middleware logic to beforeResponse

📖 Documentation

fix the example for runtime hooks
handling state with care
add favicon fix

🏡 Chore

🤖 CI

❤️ Contributors

@vejja
@huang-julien
@scottix made their first contribution in #368
@stefffens made their first contribution in #374
@Morgbn made their first contribution in #377
@GalacticHypernova made their first contribution in #376
@mtdvlpr made their first contribution in #340

What's Changed

docs: fix the example for runtime hooks by @huang-julien in #366
docs: handling state with care by @scottix in #368
fix(runtime-hooks): move middleware logic to beforeResponse by @huang-julien in #370
fix: add explicit imports for setHeader and removeResponseHeader in 00-context.ts by @stefffens in #374
feat: add escapeHtml option to XssValidator by @Morgbn in #377
feat: allow users to configure methods for XSSValidator by @GalacticHypernova in #376
feat(ssg): disable meta tag for SSG mode by @mtdvlpr in #340

Releasev1.1.0

Published on Thu Feb 01 2024

1.1.0 🎉

1.1.0 is the first minor release for a stable 1.0.0 version

The biggest feature of this version is a support for runtime config by @huang-julien ❤️ Take a look at below instructions to understand how to use it in your app.

If you need to change the headers configuration at runtime, it is possible to do it through nuxt-security:headers hook.

Enabling the option

This feature is optional, you can enable it with

export default defineNuxtConfig({
    modules: ['nuxt-security'],
    security: {
        runtimeHooks: true
    }
})

Within your nitro plugin. You can override the previous configuration of a route with nuxt-security:headers.

export default defineNitroPlugin((nitroApp) => {
    nitroApp.hooks.hook('nuxt-security:ready', () => {
        nitroApp.hooks.callHook('nuxt-security:headers', '/**' ,{
            contentSecurityPolicy: {
                "script-src": ["'self'", "'unsafe-inline'"],
            },
            xFrameOptions: false
        })
    })
})

And also, huge kudos to all contributors 🎉

🗞️ Next steps

We are already planning a release 1.2.0 with additional cool features. Stay tuned! 🚀

👉 Changelog compare changes

🚀 Enhancements

allow configuring headers in runtime
improving performance for SSG apps by cheerio optimizations

🩹 Fixes

disable 05-cspSsgPresets

📖 Documentation

correct default for crossOriginEmbedderPolicy
add new video and introduction page
add favicon fix

🏡 Chore

🤖 CI

❤️ Contributors

What's Changed

ADD favicon fix #332 by @CMarzin in #345
Disable 05-cspSsgPresets by @vejja in #349
docs: add new video and introduction page by @AfganAbbas in #350
feat: allow configuring headers in runtime by @huang-julien in #298
docs: correct default for crossOriginEmbedderPolicy by @felix-dolderer in #353
Patch for cheerio performance by @vejja in #354
Further optimization patch for cheerio by @vejja in #358
Chore/1.1.0 by @Baroshem in #347

New Contributors

@CMarzin made their first contribution in #345
@AfganAbbas made their first contribution in #350
@huang-julien made their first contribution in #298
@felix-dolderer made their first contribution in #353

Releasev1.0.0

Published on Wed Dec 13 2023

1.0.0 🎉

1.0.0 is the stable release

After five release candidate versions, we are now ready to present you a stable 1.0.0 release of NuxtSecurity. We have spent a lot of time trying to stabilise the API while constantly improving the security by implementing features like:

Strict Content Security Policy
Improved Rate Limiter
Subresource Integrity
Nonce
Per route Security headers configuration
Documentation about improving security of your Nuxt app

From this point I would like to thank @vejja who did an amazing work delivering a lot of functionalities mentioned both above and below. You are a magician! 🚀

And also, huge kudos to all contributors 🎉

✅ Migration Guide (0.14.X -> 1.0.0)

We have tried our best not to include significant breaking changes in the recent stable 1.0.0 version but some changes were necessary to improve quality of the module. Don't worry, we have prepared a migration guide with all the changes and how you should approach when migrating your current application to be up to date with 1.0.0 :)

1. Modifed the structure for `alllowedMethodsRestricter`

In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: ['GET']
  }
}

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: {
      methods: ['GET'],
      throwError?: true,
    }
  }
}

This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.

2. Changed the disabled value for `permissionsPolicy`

In the previous version, if you wanted to disable certain API like camera you would do something like this:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [()]
      },
    },
  },
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [] // This will block usage of camera by this website
      },
    },
  },
})

This change allows to fix an issue of passing several directives mentioned in #194

3. Changed the type of `interval` in `rateLimiter`

In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 'hour' | 60000
    }
  }
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 60000
    }
  }
})

This change was required to migrate to an updated rateLimiter that supports modern examples.

4. Nonce value

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce

5. Strict Content Security Policy by default

In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.

If you are experiencing some issues with CSP, check out the new documentation about it:

Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp

🍾 New features

This PR introduces per-route configuration of security headers, via

defineNuxtConfig({
  routeRules: {
    [some-route]: {
      security: {
        headers : ...
      }
    }
  }
})

🗞️ Next steps

This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)

👉 Changelog compare changes

🚀 Enhancements

move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
improve rateLimiter with support for unstorage (#190)
remove console.logs after build (#128)
add an include option for basicAuth (#219)
option to disable hashing for SSG (#215)
support for CRSF in Serverless Environments
Add credentialless value to Cross-Origin-Embedder-Policy header
Export configuration type
Improve CSP Compliance
ensure csp plugins are added last
Extend CSP support of SSG mode
use cheerio HTML parser for CSP
hashStyles option
Strict CSP by default
SRI hashes for SSG mode
Subresource Integrity
Per-route object based headers configuration
Limiting CSP header to HTML responses only
Migrate to Node 18.X
Allow falling back to global options when per-route option is not provided

🩹 Fixes

useCsrf() is undefined (#203)
CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
upgrade-insecure-requests cannot be turned off for static build (#214)
invalid permission policy parser (#194)
remove broken test for nonce (#213)
Basic Auth Configuration for Multiple Paths
Nonce value is injected in all pre-rendered pages if the nonce option is set to true
failed to find a valid digest in the 'integrity' attribute
Strict-Transport-Security as string not parsing max-age correctly
Nuxt 3.8.1 breaks Subresource Integrity
Unrecognized Content-Security-Policy directive 'undefined'
Build fails because of removeLoggers
allow csp value to be false

📖 Documentation

refactor docs to be easier (#135)
create faq section in docs from questions in Github issues (#192)
security composable to use in pages (#217)
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (#218)
custom CSP merger (#198)
stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
update 3.rate-limiter.md fix comma (#204)
New section for Contributing
New section for Usage
Reorganised Navigation
Added global Search
New Homepage
New section for Headers
New section for utils
Embedded Playground
New page for Releases
Migrated to newest docus
New Preview Image
Per Route Security configuration with headers
Clarify rateLimiter interval property
Advanced documentation about Content Security Policy
Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ

🏡 Chore

remove legacy approach for middlewares in types and module.ts file (#191)
bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
Reorganized project repository for easier maintenance
specify package manager (#225)
do not use default export for defu (#224)
Improve TS config

🤖 CI

improved CI script for automatic unit tests for main, rc, and renovate branches

❤️ Contributors

vejja (@vejja)
Jonas Thelemann (@dargmuesli)
Thomas Rijpstra (@trijpstra-fourlights)
Nik (@n4an)
Daniel Roe (@danielroe)
Pooya Parsa (@pi0)
Sébastien Chopin (@Atinux)
Mr. K V (@69u)
Jonas Thelemann (@dargmuesli)
Loïs (@Applelo)
Max Druzhinin (@maxdzin)
Fabricio Carvalho (@fabricioOak)
nekotoriy (@nekotoriy)
Insomnius (@insomnius)
Boring Dragon (@boring-dragon)
Espen Solli Grande (@espensgr)
vejja (@vejja)
Tristan (@Tristan971)
nsratha (@rathahin)
Geeky Shows (@geekyshow1)

What's Changed

Update 3.rate-limiter.md fix comma by @insomnius in #204
fix: remove broken test for nonce by @trijpstra-fourlights in #213
chore(package): specify manager by @dargmuesli in #225
chore(defu): do not use default export by @dargmuesli in #224
docs(configuration): add layer overriding instructions by @dargmuesli in #226
ci: run on all pull requests and more branches by @dargmuesli in #223
Add Missing commas inside the docs examples by @boring-dragon in #234
chore: update nonce docs about unsafe-inline during development by @trijpstra-fourlights in #240
Add documentation for updating headers on a specific route by @fabricioOak in #242
Chore/1.0.0 rc.1 by @Baroshem in #212
Update 3.crossOriginEmbedderPolicy.md by @espensgr in #261
Fix/nonce-ssg by @vejja in #245
Ensure all types are exported by @Tristan971 in #264
improve CSP compliance by @vejja in #257
Fix/typescript-config by @vejja in #248
fix(csp): ensure-plugins-last by @vejja in #271
feat(csp): Extend CSP support of SSG mode by @vejja in #272
Fix Basic Auth Configuration for Multiple Paths by @rathahin in #267
feat(csp): use cheerio parser by @vejja in #275
feat(csp): add hashStyles option for SSG by @vejja in #274
Chore/1.0.0 rc.3 by @Baroshem in #262
docs(csp): Documentation on CSP by @vejja in #282
feat(csp): hashStyles option by @vejja in #278
feat(sri): Subresource Integrity by @vejja in #285
feat(csp): SRI hashes for SSG mode by @vejja in #287
fix(headers): allow csp value to be false by @dargmuesli in #286
feat(csp): Strict CSP by default by @vejja in #289
chore/1.0.0-rc.4 by @Baroshem in #283
docs: update route rules docs by @Baroshem in #296
feat(chore): Headers per route by @vejja in #304
Chore/1.0.0 rc.5 by @Baroshem in #311
fix(csrf): replace CSRF option false with boolean by @Mohamed-Kaizen in #284
feat(doc): extend FAQ with Prismic by @vejja in #316
Fix(types): do not overwrite @nuxt/schema by @vejja in #320
fix(chore): hidePoweredBy error by @vejja in #318
fix: csp false in rc5 removes custom csp header by @vejja in #322
improve implementation and add tests by @vejja in #323
Documentation typo change from route roules to route rules by @eyopa21 in #325
inject integrity attribute only on valid HTML elements by @vejja in #328
Chore/1.0.0 by @Baroshem in #317

New Contributors

@insomnius made their first contribution in #204
@dargmuesli made their first contribution in #225
@boring-dragon made their first contribution in #234
@fabricioOak made their first contribution in #242
@espensgr made their first contribution in #261
@vejja made their first contribution in #245
@rathahin made their first contribution in #267
@Mohamed-Kaizen made their first contribution in #284
@eyopa21 made their first contribution in #325

Pre-releasev1.0.0-rc.5

Published on Tue Dec 05 2023

1.0.0-rc.5 is the next release candidate

🍾 New features

This PR introduces per-route configuration of security headers, via

defineNuxtConfig({
  routeRules: {
    [some-route]: {
      security: {
        headers : ...
      }
    }
  }
})

🗞️ Next steps

This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)

👉 Changelog compare changes

🚀 Enhancements

Per-route object based headers configuration
Limiting CSP header to HTML responses only
Migrate to Node 18.X
Allow falling back to global options when per-route option is not provided

🩹 Fixes

failed to find a valid digest in the 'integrity' attribute
Strict-Transport-Security as string not parsing max-age correctly
Nuxt 3.8.1 breaks Subresource Integrity
Unrecognized Content-Security-Policy directive 'undefined'
Build fails because of removeLoggers

📖 Documentation

Per Route Security configuration with headers

❤️ Contributors

vejja (@vejja)

Pre-releasev1.0.0-rc.4

Published on Wed Nov 15 2023

1.0.0-rc.4 is the next release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions before a stable 1.0.0 version will be released.

✅ Migration Guide

This version may include ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.

If you are experiencing some issues with CSP, check out the new documentation about it:

Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp

👉 Changelog compare changes

🚀 Enhancements

hashStyles option
Strict CSP by default
SRI hashes for SSG mode
Subresource Integrity

🩹 Fixes

allow csp value to be false

📖 Documentation

Advanced documentation about Content Security Policy
Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ

⚠️ Breaking Changes

Strict CSP

❤️ Contributors

vejja (@vejja)
Jonas Thelemann (@dargmuesli)
Geeky Shows (@geekyshow1)

Pre-releasev1.0.0-rc.3

Published on Wed Nov 01 2023

1.0.0-rc.3 is the next release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

✅ Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

👉 Changelog compare changes

🚀 Enhancements

Add credentialless value to Cross-Origin-Embedder-Policy header
Export configuration type
Improve CSP Compliance
ensure csp plugins are added last
Extend CSP support of SSG mode
use cheerio HTML parser for CSP

🩹 Fixes

Basic Auth Configuration for Multiple Paths
Nonce value is injected in all pre-rendered pages if the nonce option is set to true

📖 Documentation

Clarify rateLimiter interval property

🏡 Chore

Improve TS config

⚠️ Breaking Changes

CSP Compliance

❤️ Contributors

Espen Solli Grande (@espensgr)
vejja (@vejja)
Tristan (@Tristan971)
Jonas Thelemann (@dargmuesli)
nsratha (@rathahin)

🏋️‍♂️ New Contributors

@espensgr made their first contribution in #261
@vejja made their first contribution in #245
@rathahin made their first contribution in #267

Pre-releasev1.0.0-rc.1

Published on Wed Oct 18 2023

1.0.0-rc.1 is the first release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

✅ Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

Modifed the structure for `alllowedMethodsRestricter`

In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: ['GET']
  }
}

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: {
      methods: ['GET'],
      throwError?: true,
    }
  }
}

This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.

Changed the disabled value for `permissionsPolicy`

In the previous version, if you wanted to disable certain API like camera you would do something like this:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [()]
      },
    },
  },
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [] // This will block usage of camera by this website
      },
    },
  },
})

This change allows to fix an issue of passing several directives mentioned in #194

Changed the type of `interval` in `rateLimiter`

In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 'hour' | 60000
    }
  }
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 60000
    }
  }
})

This change was required to migrate to an updated rateLimiter that supports modern examples.

👉 Changelog compare changes

🚀 Enhancements

move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
improve rateLimiter with support for unstorage (#190)
remove console.logs after build (#128)
add an include option for basicAuth (#219)
option to disable hashing for SSG (#215)
support for CRSF in Serverless Environments

🩹 Fixes

useCsrf() is undefined (#203)
CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
upgrade-insecure-requests cannot be turned off for static build (#214)
invalid permission policy parser (#194)
remove broken test for nonce (#213)

📖 Documentation

refactor docs to be easier (#135)
create faq section in docs from questions in Github issues (#192)
security composable to use in pages (#217)
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (#218)
custom CSP merger (#198)
stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
update 3.rate-limiter.md fix comma (#204)
New section for Contributing
New section for Usage
Reorganised Navigation
Added global Search
New Homepage
New section for Headers
New section for utils
Embedded Playground
New page for Releases
Migrated to newest docus
New Preview Image

🏡 Chore

remove legacy approach for middlewares in types and module.ts file (#191)
bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
Reorganized project repository for easier maintenance
specify package manager (#225)
do not use default export for defu (#224)

🤖 CI

improved CI script for automatic unit tests for main, rc, and renovate branches

⚠️ Breaking Changes

Permissions Policy
Allowed Methods Restricter

❤️ Contributors

Nik (@n4an)
Daniel Roe (@danielroe)
Thomas Rijpstra (@trijpstra-fourlights)
Pooya Parsa (@pi0)
Sébastien Chopin (@Atinux)
Mr. K V (@69u)
Jonas Thelemann (@dargmuesli)
Loïs (@Applelo)
Max Druzhinin (@maxdzin)
Fabricio Carvalho (@fabricioOak)
nekotoriy (@nekotoriy)
vejja (@vejja)
Insomnius (@insomnius)
Boring Dragon (@boring-dragon)

🏋️‍♂️ New Contributors

@insomnius made their first contribution in #204
@dargmuesli made their first contribution in #225
@boring-dragon made their first contribution in #234
@fabricioOak made their first contribution in #242

Releasev0.14.4

Published on Tue Sep 05 2023

What's Changed

fix #185: errors in xss validation by @Baroshem in #186
Add throwError?: boolean to types that need it by @csprance in #189
docs: added trpc-nuxt configuration section by @kouts in #201

New Contributors

@csprance made their first contribution in #189
@kouts made their first contribution in #201

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.2...v0.14.4

Releasev0.14.2

Published on Wed Jul 19 2023

What's Changed

fix: nonce and ssg usage by @trijpstra-fourlights in #181

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.1...v0.14.2

Releasev0.14.1

Published on Tue Jul 18 2023

What's Changed

fix: nonce quirks when using ssr by @trijpstra-fourlights in #177
fix: csp ssg by @Baroshem in #179

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.0...v0.14.1

Releasev0.14.0

Published on Fri Jul 14 2023

What's Changed

feat: add nonce support to csp by @trijpstra-fourlights in #171

New Contributors

@trijpstra-fourlights made their first contribution in #171

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.13.1...v0.14.0

Releasev0.13.1

Published on Mon Jun 19 2023

What's Changed

docs: fix typo by @lanluartes in #139
fix(docs): default value for Permissions-Policy by @tmlmt in #148
Install options by @Droutin in #143
feat: basic auth exclude routes option by @alexbidenko1998 in #145
fix: add compatibility for modern module resolutions by @kyranet in #157

New Contributors

@lanluartes made their first contribution in #139
@tmlmt made their first contribution in #148
@Droutin made their first contribution in #143
@alexbidenko1998 made their first contribution in #145
@kyranet made their first contribution in #157

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.13.0...v0.13.1

Releasev0.13.0

Published on Tue Mar 21 2023

🚨 Breaking Changes

This Release introduces a new approach to registering security headers and middlewares by using the routeRules. I tried my best to provide backward compatibility but you may experience issues in your projects.

Basically, the configuration provided in security object in nuxt.config.ts is now used as a global configuration while any per-route configuration is now handled by routeRules.

Check out the docs to see the changes: https://nuxt-security.vercel.app/getting-started/configuration

What's Changed

fix: basic auth by @Baroshem in #126
feat: #109 routeRules support by @Baroshem in #129
feat: #116 add vitest tests by @Baroshem in #131
0.13.0 by @Baroshem in #130

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.12.0...v0.13.0

Releasev0.12.0

Published on Thu Mar 09 2023

What's Changed

feat: #114 migrate cors by @Baroshem in #119
feat: #118 cors default origin by @Baroshem in #120
feat: #117 add permisions policy by @Baroshem in #121

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.11.0...v0.12.0

Releasev0.11.0

Published on Thu Mar 02 2023

What's Changed

documentation Fixed typo for "anti-trojan-source" by @mubaidr in #99
Fix incorrect auth condition in basic-auth by @Tristan971 in #102
chore: bump nuxt to 3.2.0 by @Baroshem in #105
docs: rewrite by @Baroshem in #110
feat: csrf by @Baroshem in #111
docs: use security checklists by @Baroshem in #113
feat: enable CSP for SSG by @tresko in #112
chore: small corrections before release by @Baroshem in #115

New Contributors

@mubaidr made their first contribution in #99
@Tristan971 made their first contribution in #102
@tresko made their first contribution in #112

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.10.2...v0.11.0

Releasev0.10.2

Published on Mon Jan 30 2023

What's Changed

Fix Module Options by @runyasak in #88
docs: add stackblitz to repo by @Baroshem in #91
Docs/add stackblitz to repo by @Baroshem in #92
fix: nuxt 3.1.X x-powered-by by @Baroshem in #94

New Contributors

@runyasak made their first contribution in #88

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.10.1...v0.10.2

Releasev0.10.1

Published on Mon Jan 16 2023

What's Changed

fix: add runtime dir to nitro inline array by @pi0 in #84

New Contributors

@pi0 made their first contribution in #84

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.10.0...v0.10.1

Releasev0.10.0

Published on Mon Jan 02 2023

What's Changed

fix: use custom merger for options to avoid array values concatenation by @Qrzy in #80
docs: add video tutorial by @Baroshem in #76
feat: optional throw error by @Baroshem in #75
feat: add enabled config option by @Baroshem in #72

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.9.0...v0.10.0

Releasev0.9.0

Published on Tue Dec 06 2022

What's Changed

chore: replace npm with yarn in readme by @DamianGlowala in #63
refactor: minor improvements in rateLimiter by @DamianGlowala in #62
chore: lint files by @DamianGlowala in #61
feat: improve headers config and types by @Qrzy in #65
fix: xss protection header should be a string by @danielroe in #68

New Contributors

@DamianGlowala made their first contribution in #63
@danielroe made their first contribution in #68

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.8.0...v0.9.0

Releasev0.8.0

Published on Fri Nov 18 2022

What's Changed

feat: bump to nuxt 3.0.0 by @Baroshem in #56
Feat/basic auth by @Baroshem in #57

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.7.0...v0.8.0

Releasev0.7.0

Published on Fri Nov 11 2022

What's Changed

docs: correct headers default config in docs by @Qrzy in #49
Chore/0.7.0 by @Baroshem in #53
Added new good practices docs
Bump to Nuxt 3.0.0-rc.13
Fixed some type issus
Found a reason for failing on Windows - now investigating further but also found a workaround

New Contributors

@Qrzy made their first contribution in #49

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.6.0...v0.7.0

Releasev0.6.0

Published on Fri Nov 04 2022

Fixed issues with the module on Windows
Fixed issues in npm page
Added new docs about Security Good Practices
Fixed completely hiding 'X-Powered-By' header

What's Changed

Chore/0.6.0 by @Baroshem in #45

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.5.0...v0.6.0

Releasev0.5.0

Published on Sat Oct 29 2022

What's Changed

feat: hide powered by by @Baroshem in #36
docs: add Good Practices section by @Baroshem in #37
feat: add allowedMethodsRestricter by @Baroshem in #39

Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.4.0...v0.5.0

Releasev0.4.0

Published on Sat Oct 22 2022

With this version we have refactored the security header middlewares into recently released routeRoules that should be faster and easier to override by the user.