Releases
Releasev2.1.2
Published on Tue Nov 19 2024
๐จHotfix release: re-enable console.logs in dev mode
This release prevents the removal of console.log
statements by Nuxt-Security in development mode.
Nuxt Security helps you ship safer applications by removing console.log
statements when the removeLoggers
option is set to true
, which is the default value.
However, removing console.log
statements by default also in development mode is causing our users to search why their logs are disappearing.
With this release, removeLoggers
only removes console.log
statements in production builds.
What's Changed
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.1.1...v2.1.2
Releasev2.1.1
Published on Thu Nov 14 2024
๐ ๏ธ Hotfix Release : Node 18 Compatibility
This hotfix release re-introduces support for Node 18. Node 18 is the minimum requirement for all Nuxt 3 applications.
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.1.0...v2.1.1
Releasev2.1.0
Published on Thu Nov 14 2024
2.1.0 ๐
This is a new minor version where we focused mainly on fixing bugs but we also introduced Continous Releases by Stackblitz!
Enjoy!
๐ Changelog compare changes
โค๏ธ Contributors
- @vejja
- @dungsil made their first contribution in #530
- @DamianGlowala
- @Baroshem
What's Changed
- docs: fix broken links by @dungsil in #530
- fix: devtools being blocked in strict mode by @dungsil in #531
- feat(csp): trusted types by @vejja in #529
- fix(sri): incorrect cdnUrl resolution by @vejja in #536
- docs: mention correct default value for COOP by @DamianGlowala in #543
- feat(core): Vite native method to remove loggers by @vejja in #534
- fix(core): do not create empty header entries in routeRules by @vejja in #539
- feat(core): crypto compatibility for Workers by @vejja in #547
- feat(core): Continuous Releases by @vejja in #549
- Revert "feat(core): Continuous Releases" by @vejja in #550
- feat(core): Continuous Releases by @vejja in #551
- chore(deps): bump vite from 5.2.8 to 5.4.11 by @dependabot in #552
- Chore/2.1.0 by @Baroshem in #532
New Contributors
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0...v2.1.0
Releasev2.0.0
Published on Thu Sep 19 2024
2.0.0 ๐
This is the new major version of the NuxtSecurity module. After nine release candidates versions, we are ready to present you this new amazing version ๐
With it, we have updated many things that you can check out below in comparison to version 1.4.0.
Enjoy!
New features
As a part of this new release, there are several new features.
A+ Score by default
Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:
Performance optimization
We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio. Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.
Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine ๐
All Nuxt modes
Security headers are now deployed in all Nuxt rendering modes:
- Universal
- Client-only
- Hybrid
See #441 for details.
OWASP compliance
We are updating our default security settings to conform with the latest OWASP default values for headers. Users benefit from these updating settings out of the box, with no changes required.
See #450 for details.
Full Static Support
We are significantly improving application security for static websites:
- If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
- If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new
prerenderedHeaders
build-time hook that exposes all security headers for complete control of your server's headers.
๐๏ธ Next steps
We are planning a new release soon with the Nuxt DevTools Tab support ๐
๐ Changelog compare changes
โค๏ธ Contributors
What's Changed
- feat(core): use virtual file system for SRI by @vejja in #435
- feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
- feat(docs): add security to docs by @vejja in #451
- perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
- fix(csp): ensure charset meta at top of head by @vejja in #449
- fix(docs): update FAQ section on
--host
mode by @vejja in #456 - feat(core) : owasp default values by @vejja in #450
- fix(core): spread storage options by @vejja in #452
- fix: remove navigate-to csp directive by @GalacticHypernova in #457
- fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
- Chore/2.0.0 rc.1 by @Baroshem in #448
- Update package version by @vejja in #461
- fix(core): rollup error by @vejja in #463
- fix(headers): fix default-src owasp value by @vejja in #464
- fix(headers): add default for connect-src by @vejja in #465
- feat(headers): explicit directives by @vejja in #466
- fix(rc): bump package version by @vejja in #467
- Chore/2.0.0-rc.6 by @vejja in #468
- add per route csrf to docs by @moshetanzer in #471
- fix(csp): inline script/style have whitespace character by @hlhc in #478
- feat(core): introduce
strict
mode by @vejja in #483 - fix(docs): csp denial of pinceau styles runtime hydration by @vejja in #484
- Typo fix in docs by @Simlor in #486
- Indentation corrected by @Simlor in #490
- feat(csp): support style nonce in development by @dargmuesli in #475
- feat-#487: local dev with nuxt devtools by @Baroshem in #488
- feat(doc): introduce Nuxt Scripts as alternative to
useScript
by @vejja in #485 - Clarified when "require-corp" is the default value (documentation change) by @Simlor in #493
- fix: ensure RegExp origin can be passed to appSecurityOptions by @Shana-AE in #498
- docs: update information about Nuxt Image by @P4sca1 in #503
- feat: support server-only (NuxtIsland) components by @P4sca1 in #502
- fix: update to latest @nuxt/module-builder by @ThibaultVlacich in #516
- fix: augment @nuxt/schema rather than nuxt/schema by @ThibaultVlacich in #520
- feat: support using regular expressions as CORS origin by @P4sca1 in #509
- Chore/2.0.0 by @Baroshem in #492
New Contributors
Pre-releasev2.0.0-rc.7
Published on Mon Jun 24 2024
Support for #478
This new version updates the regular expressions in the 30-cspSsgHashes.ts file. The previous regular expression was not correctly capturing the content of inline script and style tags in all scenarios.
The old regular expression for inline scripts:
const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="\w:.-\/+")^>>(.*?)</script>/gi The updated regular expression:
const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="\w:.-\/+")^>>(\s\S?)</script>/gi; The change from (.?) to (\s\S*?) ensures that the regular expression matches any character, including newlines, between the tags. This change improves the accuracy of inline script content capture, ensuring that our CSP security hashes are correctly generated for all inline scripts.
What's Changed
- add per route csrf to docs by @moshetanzer in #471
- fix(csp): inline script/style have whitespace character by @hlhc in #478
New Contributors
- @moshetanzer made their first contribution in #471
- @hlhc made their first contribution in #478
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.6...v2.0.0-rc.7
Pre-releasev2.0.0-rc.6
Published on Fri May 31 2024
๐ฉน Fixes
Remove Experimental Permission-Policy values from default OWASP values. This clears error warnings in Chrome
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.5...v2.0.0-rc.6
Pre-releasev2.0.0-rc.5
Published on Fri May 31 2024
Improved Security Score ๐ฅ
We apply the Mozilla recommendations for CSP defaults
- deny by default with
default-src 'none'
- allow on a directive-by-directive basis
Our Mozilla Score is now 120/100
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.4...v2.0.0-rc.5
Pre-releasev2.0.0-rc.4
Published on Fri May 31 2024
๐ฉน Fixes
Add default value for connect-src
CSP directive.
Update documentation for new OWASP defaults
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.3...v2.0.0-rc.4
Pre-releasev2.0.0-rc.3
Published on Thu May 30 2024
๐ฉน Fixes
Set CSP default-src
to OWASP recommended value
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.2...v2.0.0-rc.3
Pre-releasev2.0.0-rc.2
Published on Thu May 30 2024
๐ฉน Fixes
Fixes build failure due to misconfigured rollup step
What's Changed
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v2.0.0-rc.1...v2.0.0-rc.2
Pre-releasev2.0.0-rc.1
Published on Thu May 30 2024
2.0.0-rc.1 ๐
This is a release candidate for the upcoming v2 of Nuxt Security.
A+ Score by default
Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:
Performance optimization
We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio
.
Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.
Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine ๐
All Nuxt modes
Security headers are now deployed in all Nuxt rendering modes:
- Universal
- Client-only
- Hybrid
See #441 for details.
OWASP compliance
We are updating our default security settings to conform with the latest OWASP default values for headers. Users benefit from these updating settings out of the box, with no changes required.
See #450 for details.
Full static support
We are significantly improving application security for static websites:
- If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
- If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new
prerenderedHeaders
build-time hook that exposes all security headers for complete control of your server's headers.
Other features
- We now conform to the HTML5 standard when inserting the CSP
http-equip
meta tag. - We now support all
unstorage
drivers options for the RateLimiter. Users can fully use any supported driver (Redis, Vercel KV, etc.)
๐ Changelog compare changes
โค๏ธ Contributors
What's Changed
- feat(core): use virtual file system for SRI by @vejja in #435
- feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
- feat(docs): add security to docs by @vejja in #451
- perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
- fix(csp): ensure charset meta at top of head by @vejja in #449
- fix(docs): update FAQ section on
--host
mode by @vejja in #456 - feat(core) : owasp default values by @vejja in #450
- fix(core): spread storage options by @vejja in #452
- fix: remove navigate-to csp directive by @GalacticHypernova in #457
- fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
Releasev1.4.0
Published on Fri Apr 26 2024
1.4.0 ๐
This version is a significant rewrite of the core engine of Nuxt Security, motivated primarily by the introduction of runtime hooks in PR #298 by @huang-julien and comments thereon by @harlan-zw.
Huge kudos to @vejja for delivering this great functionality ๐
Full Route-Level Compatibility
This great addition by Sebastien is well detailed here #429 but as short summary can be seen below.
New features
- All security options can now be modified via runtime hooks It is now possible to modify any of the Nuxt Security options, and not solely the headers : any other option such as hidePoweredBy, rateLimiter, is now taken into consideration and applied at route level.
- Route rules are now consistently merged The router merging strategy is now the same irrespective of the way the security options are set (inline, global, routeRules, and runtime hooks). Previously, it was a mix of defu, defuReplaceArray, and plain overwriting - leading to confusion on how nested rules would apply (see #430 for instance). We now apply the defuReplaceArray strategy across the board.
- Clear scoping of security headers to HTML pages, SWR support We now make a clearer distinction between the scope of Nitro plugins (modifying HTML pages and their headers) and the scope of Server middlewares (functions that apply to all routes). This avoids to overwrite headers of non-HTML assets with irrelevant options, and as a result we are able to support SWR natively.
- Route-level support of RateLimiter Thanks to the ability to resolveSecurityRoutes at runtime, we are now able to support route-based definitions for the Rate Limiter. This solves the issue of getting 429 denials for routes where we want to have a higher rate limit. We also take this opportunity to solve the issue of getting 429s when pre-rendering.
New runtime hook
This PR introduces a new runtime hook : nuxt-security:routeRules
, that allows to modify any security rule on any route. With this hook, the user is now able to apply any strategy for the rule (merge, overwrite, append, etc.).
nitroApp.hooks.hook('nuxt-security:routeRules', async routeRules => {
// any kind of modification of routeRules here, such as :
routeRules['/my-route'] = ...
})
The former nuxt-security:ready & nuxt-security:headers hooks are still supported but we are soft-depecrating them by removing them from the documentation.
Additional notes
This version also soft-deprecates the substitution merging via string syntax feature. This is now rendered unnecessary because the defuReplaceArray strategy is applied consistently everywhere.
We are removing corresponding mentions in the documentation, which were confusing (it only applied to headers, and it only applied in the router merging step but not in the definition step). The feature still exists to maintain backwards compatibility.
Please note that some security options can only be applied globally (removeLoggers, csrf and basicAuth) because they depend on third-party modules. The TypeScript definitions have been updated to remove these 3 options from the properties that can be set at route-level.
๐๏ธ Next steps
We are planning a new release soon with the Nuxt DevTools Tab support ๐
๐ Changelog compare changes
โค๏ธ Contributors
- @vejja
- @Jesse1989pp made their first contribution
- @Dominic-Marcelino made their first contribution
- @snepsnepy made their first contribution
What's Changed
- Vejja/issue413 by @vejja in #414
- update(doc): recommend useScript for Nuxt 3.11+ by @vejja in #403
- chore: bump unplugin-remove to fix sourcemap warnings by @Jesse1989pp in #420
- Update 1.csp.md - FIX comparison in docs by @Dominic-Marcelino in #424
- Fixed small typo found in the documentation by @snepsnepy in #431
- feat(core): unified router context by @vejja in #429
- Closes #269 : Rate Limiter is now disabled when building with SSG
- Closes #281 : Rate Limiter now records requests at the route level
- Closes #300: All security options are now configurable via the new runtime hook
- Closes #385 : All security options are now resolved with the same merging strategy
- Closes #392 : Rate Limiter now supports any endpoint, including /api routes
- Closes #428 : SWR is now natively supported
- Closes #430 : There is no need to use string syntax anymore to overwrite higher-level rules
- Closes #432 : The function insertNonceInCsp now correctly handles boolean value for CSP directives
Releasev1.3.0
Published on Wed Apr 03 2024
1.3.0 ๐
This version brings several bugfixes and small new features.
Kudos to all contributors! ๐
๐๏ธ Next steps
We are already planning a release 1.3.0 that will include support for rate limiter global and per route as well as protecting api ๐
๐ Changelog compare changes
๐ Enhancements
- fetch buffers from storage and convert to object
- enhance FormData with XSS validation feature
๐ฉน Fixes
- remove frame-ancestors from meta
- generate meta tag without html,head,body tags
- do not decode entities in HTML
- opt in to
import.meta.*
properties - set nonce in response headers instead of using configuration
๐ Documentation
- use new
nuxi module add
command in installation
๐ก Chore
๐ค CI
โค๏ธ Contributors
- @vejja
- @huang-julien
- @Ray0907 made their first contribution
- @danielroe
- @mtdvlpr
What's Changed
- fix(ssg): remove frame-ancestors from meta by @vejja in #388
- fix(ssg): generate meta tag without html,head,body tags by @mtdvlpr in #387
- fix(core): do not decode entities in HTML by @vejja in #394
- sri: fetch buffers from storage and convert to object by @vejja in #396
- Enhance FormData with XSS validation feature. by @Ray0907 in #401
- fix: opt in to
import.meta.*
properties by @danielroe in #406 - fix: set nonce in response headers instead of using configuration by @huang-julien in #408
- docs: use new
nuxi module add
command in installation by @danielroe in #410 - Chore/1.3.0 by @Baroshem in #399
Releasev1.2.0
Published on Thu Feb 22 2024
1.2.0 ๐
This version brings several bugfixes and small new features mostly related to XSS Validator.
Kudos to all contributors! ๐
๐๏ธ Next steps
We are already planning a release 1.3.0 that will include support for DevTools ๐
๐ Changelog compare changes
๐ Enhancements
- add escapeHtml option to XssValidator
- allow users to configure methods for XSSValidator
- disable meta tag for SSG mode
๐ฉน Fixes
- add explicit imports for setHeader and removeResponseHeader in 00-context.ts
- move middleware logic to
beforeResponse
๐ Documentation
- fix the example for runtime hooks
- handling state with care
- add favicon fix
๐ก Chore
๐ค CI
โค๏ธ Contributors
- @vejja
- @huang-julien
- @scottix made their first contribution in #368
- @stefffens made their first contribution in #374
- @Morgbn made their first contribution in #377
- @GalacticHypernova made their first contribution in #376
- @mtdvlpr made their first contribution in #340
What's Changed
- docs: fix the example for runtime hooks by @huang-julien in #366
- docs: handling state with care by @scottix in #368
- fix(runtime-hooks): move middleware logic to
beforeResponse
by @huang-julien in #370 - fix: add explicit imports for setHeader and removeResponseHeader in 00-context.ts by @stefffens in #374
- feat: add escapeHtml option to XssValidator by @Morgbn in #377
- feat: allow users to configure methods for XSSValidator by @GalacticHypernova in #376
- feat(ssg): disable meta tag for SSG mode by @mtdvlpr in #340
Releasev1.1.0
Published on Thu Feb 01 2024
1.1.0 ๐
1.1.0 is the first minor release for a stable 1.0.0 version
The biggest feature of this version is a support for runtime config by @huang-julien โค๏ธ Take a look at below instructions to understand how to use it in your app.
If you need to change the headers configuration at runtime, it is possible to do it through nuxt-security:headers
hook.
Enabling the option
This feature is optional, you can enable it with
export default defineNuxtConfig({
modules: ['nuxt-security'],
security: {
runtimeHooks: true
}
})
Within your nitro plugin. You can override the previous configuration of a route with nuxt-security:headers
.
export default defineNitroPlugin((nitroApp) => {
nitroApp.hooks.hook('nuxt-security:ready', () => {
nitroApp.hooks.callHook('nuxt-security:headers', '/**' ,{
contentSecurityPolicy: {
"script-src": ["'self'", "'unsafe-inline'"],
},
xFrameOptions: false
})
})
})
And also, huge kudos to all contributors ๐
๐๏ธ Next steps
We are already planning a release 1.2.0 with additional cool features. Stay tuned! ๐
๐ Changelog compare changes
๐ Enhancements
- allow configuring headers in runtime
- improving performance for SSG apps by cheerio optimizations
๐ฉน Fixes
- disable 05-cspSsgPresets
๐ Documentation
- correct default for crossOriginEmbedderPolicy
- add new video and introduction page
- add favicon fix
๐ก Chore
๐ค CI
โค๏ธ Contributors
- vejja (@vejja)
- Jonas Thelemann (@dargmuesli)
- @CMarzin
- @AfganAbbas
- @huang-julien
- @felix-dolderer
What's Changed
- ADD favicon fix #332 by @CMarzin in #345
- Disable 05-cspSsgPresets by @vejja in #349
- docs: add new video and introduction page by @AfganAbbas in #350
- feat: allow configuring headers in runtime by @huang-julien in #298
- docs: correct default for crossOriginEmbedderPolicy by @felix-dolderer in #353
- Patch for cheerio performance by @vejja in #354
- Further optimization patch for cheerio by @vejja in #358
- Chore/1.1.0 by @Baroshem in #347
New Contributors
- @CMarzin made their first contribution in #345
- @AfganAbbas made their first contribution in #350
- @huang-julien made their first contribution in #298
- @felix-dolderer made their first contribution in #353
Releasev1.0.0
Published on Wed Dec 13 2023
1.0.0 ๐
1.0.0 is the stable release
After five release candidate versions, we are now ready to present you a stable 1.0.0 release of NuxtSecurity. We have spent a lot of time trying to stabilise the API while constantly improving the security by implementing features like:
- Strict Content Security Policy
- Improved Rate Limiter
- Subresource Integrity
- Nonce
- Per route Security headers configuration
- Documentation about improving security of your Nuxt app
From this point I would like to thank @vejja who did an amazing work delivering a lot of functionalities mentioned both above and below. You are a magician! ๐
And also, huge kudos to all contributors ๐
โ Migration Guide (0.14.X -> 1.0.0)
We have tried our best not to include significant breaking changes in the recent stable 1.0.0 version but some changes were necessary to improve quality of the module. Don't worry, we have prepared a migration guide with all the changes and how you should approach when migrating your current application to be up to date with 1.0.0 :)
1. Modifed the structure for alllowedMethodsRestricter
In the previous version, alllowedMethodsRestricter
was an array of HTTP methods or '*'
for all methods.
export default defineNuxtConfig({
security: {
allowedMethodsRestricter: ['GET']
}
}
Now it is configured like following:
export default defineNuxtConfig({
security: {
allowedMethodsRestricter: {
methods: ['GET'],
throwError?: true,
}
}
}
This change allows to pass a throwError
property that can be useful to return an error response rather than throwing a default Nuxt error.
2. Changed the disabled value for permissionsPolicy
In the previous version, if you wanted to disable certain API like camera you would do something like this:
export default defineNuxtConfig({
security: {
headers: {
permissionsPolicy: {
'camera': [()]
},
},
},
})
Now it is configured like following:
export default defineNuxtConfig({
security: {
headers: {
permissionsPolicy: {
'camera': [] // This will block usage of camera by this website
},
},
},
})
This change allows to fix an issue of passing several directives mentioned in #194
3. Changed the type of interval
in rateLimiter
In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:
export default defineNuxtConfig({
security: {
rateLimiter: {
interval: 'hour' | 60000
}
}
})
Now it is configured like following:
export default defineNuxtConfig({
security: {
rateLimiter: {
interval: 60000
}
}
})
This change was required to migrate to an updated rateLimiter that supports modern examples.
4. Nonce value
In the previous version, nonce
could be either an object with a type NonceOptions
or false
.
export type NonceOptions = {
enabled: boolean;
mode?: 'renew' | 'check';
value?: (() => string);
}
Now it is only a boolean value:
export default defineNuxtConfig({
security: {
nonce: true | false
}
}
This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce
5. Strict Content Security Policy by default
In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.
If you are experiencing some issues with CSP, check out the new documentation about it:
- Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
- Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp
๐พ New features
This PR introduces per-route configuration of security headers, via
defineNuxtConfig({
routeRules: {
[some-route]: {
security: {
headers : ...
}
}
}
})
๐๏ธ Next steps
This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)
๐ Changelog compare changes
๐ Enhancements
- move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
- improve rateLimiter with support for unstorage (#190)
- remove console.logs after build (#128)
- add an include option for basicAuth (#219)
- option to disable hashing for SSG (#215)
- support for CRSF in Serverless Environments
- Add
credentialless
value toCross-Origin-Embedder-Policy
header - Export configuration type
- Improve CSP Compliance
- ensure csp plugins are added last
- Extend CSP support of SSG mode
- use cheerio HTML parser for CSP
- hashStyles option
- Strict CSP by default
- SRI hashes for SSG mode
- Subresource Integrity
- Per-route object based headers configuration
- Limiting CSP header to HTML responses only
- Migrate to Node 18.X
- Allow falling back to global options when per-route option is not provided
๐ฉน Fixes
- useCsrf() is undefined (#203)
- CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
- upgrade-insecure-requests cannot be turned off for static build (#214)
- invalid permission policy parser (#194)
- remove broken test for
nonce
(#213) - Basic Auth Configuration for Multiple Paths
- Nonce value is injected in all pre-rendered pages if the
nonce
option is set totrue
- failed to find a valid digest in the 'integrity' attribute
- Strict-Transport-Security as string not parsing max-age correctly
- Nuxt 3.8.1 breaks Subresource Integrity
- Unrecognized Content-Security-Policy directive 'undefined'
- Build fails because of removeLoggers
- allow csp value to be false
๐ Documentation
- refactor docs to be easier (#135)
- create faq section in docs from questions in Github issues (#192)
- security composable to use in pages (#217)
- Content-Security-Policy: The pageโs settings blocked the loading of a resource at inline (#218)
- custom CSP merger (#198)
- stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
- update 3.rate-limiter.md fix comma (#204)
- New section for Contributing
- New section for Usage
- Reorganised Navigation
- Added global Search
- New Homepage
- New section for Headers
- New section for utils
- Embedded Playground
- New page for Releases
- Migrated to newest docus
- New Preview Image
- Per Route Security configuration with headers
- Clarify rateLimiter
interval
property - Advanced documentation about Content Security Policy
- Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ
๐ก Chore
- remove legacy approach for middlewares in types and module.ts file (#191)
- bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
- Reorganized project repository for easier maintenance
- specify package manager (#225)
- do not use default export for defu (#224)
- Improve TS config
๐ค CI
- improved CI script for automatic unit tests for main, rc, and renovate branches
โค๏ธ Contributors
- vejja (@vejja)
- Jonas Thelemann (@dargmuesli)
- Thomas Rijpstra (@trijpstra-fourlights)
- Nik (@n4an)
- Daniel Roe (@danielroe)
- Pooya Parsa (@pi0)
- Sรฉbastien Chopin (@Atinux)
- Mr. K V (@69u)
- Jonas Thelemann (@dargmuesli)
- Loรฏs (@Applelo)
- Max Druzhinin (@maxdzin)
- Fabricio Carvalho (@fabricioOak)
- nekotoriy (@nekotoriy)
- Insomnius (@insomnius)
- Boring Dragon (@boring-dragon)
- Espen Solli Grande (@espensgr)
- vejja (@vejja)
- Tristan (@Tristan971)
- nsratha (@rathahin)
- Geeky Shows (@geekyshow1)
What's Changed
- Update 3.rate-limiter.md fix comma by @insomnius in #204
- fix: remove broken test for
nonce
by @trijpstra-fourlights in #213 - chore(package): specify manager by @dargmuesli in #225
- chore(defu): do not use default export by @dargmuesli in #224
- docs(configuration): add layer overriding instructions by @dargmuesli in #226
- ci: run on all pull requests and more branches by @dargmuesli in #223
- Add Missing commas inside the docs examples by @boring-dragon in #234
- chore: update
nonce
docs aboutunsafe-inline
during development by @trijpstra-fourlights in #240 - Add documentation for updating headers on a specific route by @fabricioOak in #242
- Chore/1.0.0 rc.1 by @Baroshem in #212
- Update 3.crossOriginEmbedderPolicy.md by @espensgr in #261
- Fix/nonce-ssg by @vejja in #245
- Ensure all types are exported by @Tristan971 in #264
- improve CSP compliance by @vejja in #257
- Fix/typescript-config by @vejja in #248
- fix(csp): ensure-plugins-last by @vejja in #271
- feat(csp): Extend CSP support of SSG mode by @vejja in #272
- Fix Basic Auth Configuration for Multiple Paths by @rathahin in #267
- feat(csp): use cheerio parser by @vejja in #275
- feat(csp): add hashStyles option for SSG by @vejja in #274
- Chore/1.0.0 rc.3 by @Baroshem in #262
- docs(csp): Documentation on CSP by @vejja in #282
- feat(csp): hashStyles option by @vejja in #278
- feat(sri): Subresource Integrity by @vejja in #285
- feat(csp): SRI hashes for SSG mode by @vejja in #287
- fix(headers): allow csp value to be
false
by @dargmuesli in #286 - feat(csp): Strict CSP by default by @vejja in #289
- chore/1.0.0-rc.4 by @Baroshem in #283
- docs: update route rules docs by @Baroshem in #296
- feat(chore): Headers per route by @vejja in #304
- Chore/1.0.0 rc.5 by @Baroshem in #311
- fix(csrf): replace CSRF option
false
withboolean
by @Mohamed-Kaizen in #284 - feat(doc): extend FAQ with Prismic by @vejja in #316
- Fix(types): do not overwrite @nuxt/schema by @vejja in #320
- fix(chore): hidePoweredBy error by @vejja in #318
- fix: csp false in rc5 removes custom csp header by @vejja in #322
- improve implementation and add tests by @vejja in #323
- Documentation typo change from route roules to route rules by @eyopa21 in #325
- inject integrity attribute only on valid HTML elements by @vejja in #328
- Chore/1.0.0 by @Baroshem in #317
New Contributors
- @insomnius made their first contribution in #204
- @dargmuesli made their first contribution in #225
- @boring-dragon made their first contribution in #234
- @fabricioOak made their first contribution in #242
- @espensgr made their first contribution in #261
- @vejja made their first contribution in #245
- @rathahin made their first contribution in #267
- @Mohamed-Kaizen made their first contribution in #284
- @eyopa21 made their first contribution in #325
Pre-releasev1.0.0-rc.5
Published on Tue Dec 05 2023
1.0.0-rc.5 is the next release candidate
๐พ New features
This PR introduces per-route configuration of security headers, via
defineNuxtConfig({
routeRules: {
[some-route]: {
security: {
headers : ...
}
}
}
})
๐๏ธ Next steps
This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)
๐ Changelog compare changes
๐ Enhancements
- Per-route object based headers configuration
- Limiting CSP header to HTML responses only
- Migrate to Node 18.X
- Allow falling back to global options when per-route option is not provided
๐ฉน Fixes
- failed to find a valid digest in the 'integrity' attribute
- Strict-Transport-Security as string not parsing max-age correctly
- Nuxt 3.8.1 breaks Subresource Integrity
- Unrecognized Content-Security-Policy directive 'undefined'
- Build fails because of removeLoggers
๐ Documentation
- Per Route Security configuration with headers
โค๏ธ Contributors
- vejja (@vejja)
Pre-releasev1.0.0-rc.4
Published on Wed Nov 15 2023
1.0.0-rc.4 is the next release candidate
๐๏ธ Next steps
We are planning to release one or two more release candidate versions before a stable 1.0.0 version will be released.
โ Migration Guide
This version may include โ ๏ธ breaking changes but don't worry, we have prepared migration guide for you ๐
In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.
If you are experiencing some issues with CSP, check out the new documentation about it:
- Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
- Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp
๐ Changelog compare changes
๐ Enhancements
- hashStyles option
- Strict CSP by default
- SRI hashes for SSG mode
- Subresource Integrity
๐ฉน Fixes
- allow csp value to be false
๐ Documentation
- Advanced documentation about Content Security Policy
- Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ
โ ๏ธ Breaking Changes
- Strict CSP
โค๏ธ Contributors
- vejja (@vejja)
- Jonas Thelemann (@dargmuesli)
- Geeky Shows (@geekyshow1)
Pre-releasev1.0.0-rc.3
Published on Wed Nov 01 2023
1.0.0-rc.3 is the next release candidate
๐๏ธ Next steps
We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.
โ Migration Guide
This version includes โ ๏ธ breaking changes but don't worry, we have prepared migration guide for you ๐
In the previous version, nonce
could be either an object with a type NonceOptions
or false
.
export type NonceOptions = {
enabled: boolean;
mode?: 'renew' | 'check';
value?: (() => string);
}
Now it is only a boolean value:
export default defineNuxtConfig({
security: {
nonce: true | false
}
}
This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce
๐ Changelog compare changes
๐ Enhancements
- Add
credentialless
value toCross-Origin-Embedder-Policy
header - Export configuration type
- Improve CSP Compliance
- ensure csp plugins are added last
- Extend CSP support of SSG mode
- use cheerio HTML parser for CSP
๐ฉน Fixes
- Basic Auth Configuration for Multiple Paths
- Nonce value is injected in all pre-rendered pages if the
nonce
option is set totrue
๐ Documentation
- Clarify rateLimiter
interval
property
๐ก Chore
- Improve TS config
โ ๏ธ Breaking Changes
- CSP Compliance
โค๏ธ Contributors
- Espen Solli Grande (@espensgr)
- vejja (@vejja)
- Tristan (@Tristan971)
- Jonas Thelemann (@dargmuesli)
- nsratha (@rathahin)
๐๏ธโโ๏ธ New Contributors
Pre-releasev1.0.0-rc.1
Published on Wed Oct 18 2023
1.0.0-rc.1 is the first release candidate
๐๏ธ Next steps
We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.
โ Migration Guide
This version includes โ ๏ธ breaking changes but don't worry, we have prepared migration guide for you ๐
Modifed the structure for alllowedMethodsRestricter
In the previous version, alllowedMethodsRestricter
was an array of HTTP methods or '*'
for all methods.
export default defineNuxtConfig({
security: {
allowedMethodsRestricter: ['GET']
}
}
Now it is configured like following:
export default defineNuxtConfig({
security: {
allowedMethodsRestricter: {
methods: ['GET'],
throwError?: true,
}
}
}
This change allows to pass a throwError
property that can be useful to return an error response rather than throwing a default Nuxt error.
Changed the disabled value for permissionsPolicy
In the previous version, if you wanted to disable certain API like camera you would do something like this:
export default defineNuxtConfig({
security: {
headers: {
permissionsPolicy: {
'camera': [()]
},
},
},
})
Now it is configured like following:
export default defineNuxtConfig({
security: {
headers: {
permissionsPolicy: {
'camera': [] // This will block usage of camera by this website
},
},
},
})
This change allows to fix an issue of passing several directives mentioned in #194
Changed the type of interval
in rateLimiter
In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:
export default defineNuxtConfig({
security: {
rateLimiter: {
interval: 'hour' | 60000
}
}
})
Now it is configured like following:
export default defineNuxtConfig({
security: {
rateLimiter: {
interval: 60000
}
}
})
This change was required to migrate to an updated rateLimiter that supports modern examples.
๐ Changelog compare changes
๐ Enhancements
- move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
- improve rateLimiter with support for unstorage (#190)
- remove console.logs after build (#128)
- add an include option for basicAuth (#219)
- option to disable hashing for SSG (#215)
- support for CRSF in Serverless Environments
๐ฉน Fixes
- useCsrf() is undefined (#203)
- CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
- upgrade-insecure-requests cannot be turned off for static build (#214)
- invalid permission policy parser (#194)
- remove broken test for
nonce
(#213)
๐ Documentation
- refactor docs to be easier (#135)
- create faq section in docs from questions in Github issues (#192)
- security composable to use in pages (#217)
- Content-Security-Policy: The pageโs settings blocked the loading of a resource at inline (#218)
- custom CSP merger (#198)
- stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
- update 3.rate-limiter.md fix comma (#204)
- New section for Contributing
- New section for Usage
- Reorganised Navigation
- Added global Search
- New Homepage
- New section for Headers
- New section for utils
- Embedded Playground
- New page for Releases
- Migrated to newest docus
- New Preview Image
๐ก Chore
- remove legacy approach for middlewares in types and module.ts file (#191)
- bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
- Reorganized project repository for easier maintenance
- specify package manager (#225)
- do not use default export for defu (#224)
๐ค CI
- improved CI script for automatic unit tests for main, rc, and renovate branches
โ ๏ธ Breaking Changes
- Permissions Policy
- Allowed Methods Restricter
โค๏ธ Contributors
- Nik (@n4an)
- Daniel Roe (@danielroe)
- Thomas Rijpstra (@trijpstra-fourlights)
- Pooya Parsa (@pi0)
- Sรฉbastien Chopin (@Atinux)
- Mr. K V (@69u)
- Jonas Thelemann (@dargmuesli)
- Loรฏs (@Applelo)
- Max Druzhinin (@maxdzin)
- Fabricio Carvalho (@fabricioOak)
- nekotoriy (@nekotoriy)
- vejja (@vejja)
- Insomnius (@insomnius)
- Boring Dragon (@boring-dragon)
๐๏ธโโ๏ธ New Contributors
- @insomnius made their first contribution in #204
- @dargmuesli made their first contribution in #225
- @boring-dragon made their first contribution in #234
- @fabricioOak made their first contribution in #242
Releasev0.14.4
Published on Tue Sep 05 2023
What's Changed
- fix #185: errors in xss validation by @Baroshem in #186
- Add throwError?: boolean to types that need it by @csprance in #189
- docs: added trpc-nuxt configuration section by @kouts in #201
New Contributors
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.2...v0.14.4
Releasev0.14.2
Published on Wed Jul 19 2023
What's Changed
- fix: nonce and ssg usage by @trijpstra-fourlights in #181
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.1...v0.14.2
Releasev0.14.1
Published on Tue Jul 18 2023
What's Changed
- fix: nonce quirks when using
ssr
by @trijpstra-fourlights in #177 - fix: csp ssg by @Baroshem in #179
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.14.0...v0.14.1
Releasev0.14.0
Published on Fri Jul 14 2023
What's Changed
- feat: add
nonce
support to csp by @trijpstra-fourlights in #171
New Contributors
- @trijpstra-fourlights made their first contribution in #171
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.13.1...v0.14.0
Releasev0.13.1
Published on Mon Jun 19 2023
What's Changed
- docs: fix typo by @lanluartes in #139
- fix(docs): default value for Permissions-Policy by @tmlmt in #148
- Install options by @Droutin in #143
- feat: basic auth exclude routes option by @alexbidenko1998 in #145
- fix: add compatibility for modern module resolutions by @kyranet in #157
New Contributors
- @lanluartes made their first contribution in #139
- @tmlmt made their first contribution in #148
- @Droutin made their first contribution in #143
- @alexbidenko1998 made their first contribution in #145
- @kyranet made their first contribution in #157
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.13.0...v0.13.1
Releasev0.13.0
Published on Tue Mar 21 2023
๐จ Breaking Changes
This Release introduces a new approach to registering security headers and middlewares by using the routeRules
. I tried my best to provide backward compatibility but you may experience issues in your projects.
Basically, the configuration provided in security
object in nuxt.config.ts
is now used as a global configuration while any per-route
configuration is now handled by routeRules
.
Check out the docs to see the changes: https://nuxt-security.vercel.app/getting-started/configuration
What's Changed
- fix: basic auth by @Baroshem in #126
- feat: #109 routeRules support by @Baroshem in #129
- feat: #116 add vitest tests by @Baroshem in #131
- 0.13.0 by @Baroshem in #130
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.12.0...v0.13.0
Releasev0.11.0
Published on Thu Mar 02 2023
What's Changed
- documentation Fixed typo for "anti-trojan-source" by @mubaidr in #99
- Fix incorrect auth condition in basic-auth by @Tristan971 in #102
- chore: bump nuxt to 3.2.0 by @Baroshem in #105
- docs: rewrite by @Baroshem in #110
- feat: csrf by @Baroshem in #111
- docs: use security checklists by @Baroshem in #113
- feat: enable CSP for SSG by @tresko in #112
- chore: small corrections before release by @Baroshem in #115
New Contributors
- @mubaidr made their first contribution in #99
- @Tristan971 made their first contribution in #102
- @tresko made their first contribution in #112
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.10.2...v0.11.0
Releasev0.10.2
Published on Mon Jan 30 2023
What's Changed
- Fix Module Options by @runyasak in #88
- docs: add stackblitz to repo by @Baroshem in #91
- Docs/add stackblitz to repo by @Baroshem in #92
- fix: nuxt 3.1.X x-powered-by by @Baroshem in #94
New Contributors
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.10.1...v0.10.2
Releasev0.10.1
Published on Mon Jan 16 2023
Releasev0.10.0
Published on Mon Jan 02 2023
What's Changed
- fix: use custom merger for options to avoid array values concatenation by @Qrzy in #80
- docs: add video tutorial by @Baroshem in #76
- feat: optional throw error by @Baroshem in #75
- feat: add enabled config option by @Baroshem in #72
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.9.0...v0.10.0
Releasev0.9.0
Published on Tue Dec 06 2022
What's Changed
- chore: replace
npm
withyarn
in readme by @DamianGlowala in #63 - refactor: minor improvements in
rateLimiter
by @DamianGlowala in #62 - chore: lint files by @DamianGlowala in #61
- feat: improve headers config and types by @Qrzy in #65
- fix: xss protection header should be a string by @danielroe in #68
New Contributors
- @DamianGlowala made their first contribution in #63
- @danielroe made their first contribution in #68
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.8.0...v0.9.0
Releasev0.8.0
Published on Fri Nov 18 2022
Releasev0.7.0
Published on Fri Nov 11 2022
What's Changed
- docs: correct headers default config in docs by @Qrzy in #49
- Chore/0.7.0 by @Baroshem in #53
- Added new good practices docs
- Bump to Nuxt 3.0.0-rc.13
- Fixed some type issus
- Found a reason for failing on Windows - now investigating further but also found a workaround
New Contributors
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.6.0...v0.7.0
Releasev0.6.0
Published on Fri Nov 04 2022
- Fixed issues with the module on Windows
- Fixed issues in npm page
- Added new docs about Security Good Practices
- Fixed completely hiding 'X-Powered-By' header
What's Changed
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.5.0...v0.6.0
Releasev0.5.0
Published on Sat Oct 29 2022
What's Changed
- feat: hide powered by by @Baroshem in #36
- docs: add Good Practices section by @Baroshem in #37
- feat: add allowedMethodsRestricter by @Baroshem in #39
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.4.0...v0.5.0
Releasev0.4.0
Published on Sat Oct 22 2022
With this version we have refactored the security header middlewares into recently released routeRoules that should be faster and easier to override by the user.
Breaking Change (potential)
If you have added a custom headers that were supposed to ovveride the the default ones.
Previously security header middleware routes were ''
empty strings and it was causing the middleware to be global.
Right now, with routeRoules, the route should be /**
to make it global.
What's Changed
- Docs/docus and templates by @Baroshem in #15
- docs: add Stackblitz demo by @Baroshem in #19
- feat: switched to unstorage by @Intevel in #29
- Chore/0.4.0 by @Baroshem in #33
New Contributors
Full Changelog: https://github.com/Baroshem/nuxt-security/compare/v0.3.0...v0.4.0
Releasev0.3.0
Published on Sat Oct 15 2022
Releasev0.2.1
Published on Tue Oct 11 2022
Releasev0.2.0
Published on Tue Oct 11 2022
Releasev0.1.0
Published on Sat Oct 08 2022
Full Changelog: https://github.com/Baroshem/nuxt-security/commits/v0.1.0