Merge pull request #33 from Baroshem/chore/0.4.0

Chore/0.4.0

docs/content/1.getting-started/1.quick-start.md

@@ -28,7 +28,9 @@ description: ''
    })
    ```
 
-3. **Add Security configuration**
+And that's it! The Nuxt Security module will now register routeRoules and middlewares to make your application more secure.
+
+3. **(Optional) Add Custom Security configuration**
 
    ```js{}[nuxt.config.js]
    export default defineNuxtConfig({

docs/content/1.getting-started/2.configuration.md

@@ -3,8 +3,9 @@ title: Configuration
 description: ''
 ---
 
-## Options
+The module by default will register middlewares and route roules to make your application more secure. If you need, you can also modify or disable any of middlewares/routes if you do not need them or your project cannot use them (i.e. some Statically Generated websites will not be able to use middlewares).
 
+## Configuration Types
 
 Each middleware configuration object is build using same TS type:
 
@@ -15,6 +16,9 @@ export type MiddlewareConfiguration<MIDDLEWARE> = {
 }
 ```
 
+* `value` is the value of certain header or middleware. It may be a simple string or an object depending on the method.
+* `route` is the route that should this header or middleware be attached to. By default for routeRoules (headers) the route is `/**` and for middlewares is `''` (empty string) -> global middleware.
+
 All module configuration is the following type:
 
 ```ts
@@ -27,6 +31,10 @@ export interface ModuleOptions {
 }
 ```
 
+All above `ModuleOptions` are explained in more details in the [next chapter](/middlewares/headers)
+
+## Default configuration
+
 This module will by default set the following configuration options to enable middlewares:
 
 ```ts

docs/content/2.middlewares/1.headers.md

@@ -3,7 +3,9 @@ title: Headers
 description: ''
 ---
 
-This middleware will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#use-appropriate-security-headers) security problem.
+A set of Nuxt `routeRoules` that will add appriopriate security headers to your response that will make your application more secure by default. All headers can be overriden by using the module configuration or by overriding certain routes.
+
+It will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#use-appropriate-security-headers) security problem.
 
 ```ts
 export type MiddlewareConfiguration<MIDDLEWARE> = {
@@ -47,3 +49,199 @@ To write a custom logic for this middleware follow this pattern:
   }
 }
 ```
+
+## `Content-Security-Policy`
+
+Content Security Policy (CSP) helps prevent unwanted content from being injected/loaded into your webpages. This can mitigate cross-site scripting (XSS) vulnerabilities, clickjacking, formjacking, malicious frames, unwanted trackers, and other web client-side attacks.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
+
+Default value:
+
+```ts
+contentSecurityPolicy: {
+  value:
+    "base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
+  route: '/**',
+}
+```
+
+## Cross-Origin-Embedder-Policy
+
+The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy).
+
+Default value:
+
+```ts
+crossOriginEmbedderPolicy: {
+  value: "require-corp",
+  route: '/**',
+},
+```
+
+## `Cross-Origin-Opener-Policy`
+
+The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. COOP will process-isolate your document and potential attackers can't access your global object if they were to open it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy).
+
+Default value:
+
+```ts
+crossOriginOpenerPolicy: {
+  value: "same-origin",
+  route: '/**',
+},
+```
+
+## `Cross-Origin-Resource-Policy`
+
+Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like `<script>` and `<img>`), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks. CORP is an additional layer of protection beyond the default same-origin policy. Cross-Origin Resource Policy complements Cross-Origin Read Blocking (CORB), which is a mechanism to prevent some cross-origin reads by default.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)).
+
+Default value:
+
+```ts
+crossOriginResourcePolicy: {
+  value: "same-origin",
+  route: '/**',
+},
+```
+
+## `Origin-Agent-Cluster`
+
+Origin-Agent-Cluster is a new HTTP response header that instructs the browser to prevent synchronous scripting access between same-site cross-origin pages. Browsers may also use Origin-Agent-Cluster as a hint that your origin should get its own, separate resources, such as a dedicated process.
+
+Read more about this header [here](https://web.dev/origin-agent-cluster).
+
+Default value:
+
+```ts
+originAgentCluster: {
+  value: "?1",
+  route: '/**',
+},
+```
+
+## `Referrer-Policy`
+
+The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
+
+Default value:
+
+```ts
+referrerPolicy: {
+  value: "no-referrer",
+  route: '/**',
+},
+```
+
+## `Strict-Transport-Security`
+
+The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
+
+Default value:
+
+```ts
+strictTransportSecurity: {
+  value: "max-age=15552000; includeSubDomains",
+  route: '/**',
+},
+```
+
+## `X-Content-Type-Options`
+
+The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options).
+
+Default value:
+
+```ts
+xContentTypeOptions: {
+  value: "nosniff", 
+  route: '/**',
+},
+```
+
+## `X-DNS-Prefetch-Control`
+
+The X-DNS-Prefetch-Control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth. This prefetching is performed in the background, so that the DNS is likely to have been resolved by the time the referenced items are needed. This reduces latency when the user clicks a link.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control).
+
+Default value:
+
+```ts
+xDNSPrefetchControl: {
+  value: "off",
+  route: '/**',
+},
+```
+
+## `X-Download-Options`
+
+The X-Download-Options HTTP header has only one option: X-Download-Options: noopen. This is for Internet Explorer from version 8 on to instruct the browser not to open a download directly in the browser but instead to provide only the �Save� option. The user has to first save it and then open it in an application.
+
+Read more about this header [here](https://webtechsurvey.com/response-header/x-download-options).
+
+Default value:
+
+```ts
+xDownloadOptions: {
+  value: "noopen",
+  route: '/**',
+},
+```
+
+## `X-Frame-Options`
+
+The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a `<frame>`, `<iframe>`, `<embed>` or `<object>`. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
+
+Default value:
+
+```ts
+xFrameOptions: {
+  value: "SAMEORIGIN",
+  route: '/**',
+},
+```
+
+## `X-Permitted-Cross-Domain-Policies`
+
+The X-Permitted-Cross-Domain-Policies header is used to permit cross-domain requests from Flash and PDF documents. In most cases, these permissions are defined in an XML document called crossdomain.xml found in the root directory of the web page. For situations in which the root directory cannot be specified, however, this header can be used to define a desired meta policy. The X-Permitted-Cross-Domain-Policies header should ideally be set as restrictively as possible.
+
+Read more about this header [here](https://www.scip.ch/en/?labs.20180308#:~:text=The%20X%2DPermitted%2DCross%2D,documents%20for%20cross%2Ddomain%20requests.&text=The%20Public%2DKey%2DPins%20header,complexity%20and%20dwindling%20browser%20support.).
+
+Default value:
+
+```ts
+xPermittedCrossDomainPolicies: {
+  value: "none",
+  route: '/**',
+},
+```
+
+## `X-XSS-Protection`
+
+The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').
+
+Read more about this header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
+
+Default value:
+
+```ts
+xXSSProtection: {
+  value: 0,
+  route: '/**',
+},
+```

docs/content/2.middlewares/2.request-size-limiter.md

@@ -3,7 +3,9 @@ title: Request Size Limiter
 description: ''
 ---
 
-This middleware will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-request-size-limits) security problem.
+This middleware works for `GET`, `POST`, and `DELETE` methods and will throw an `413 Payload Too Large` error when the payload will be larger than the one set in the configuration. Works for both request size and upload file request size.
+
+It will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-request-size-limits) security problem.
 
 ```ts
 export type RequestSizeLimiter = {

docs/content/2.middlewares/3.rate-limiter.md

@@ -3,7 +3,9 @@ title: Rate Limiter
 description: ''
 ---
 
-This middleware will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#take-precautions-against-brute-forcing) security problem.
+This middleware stores ip address of a request in memory and will throw an `429 Too Many Requests` error when there will be too many requests than the number set in the configuration. Based on <https://github.com/jhurliman/node-rate-limiter> and <https://github.com/ptarjan/node-cache>
+
+It will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#take-precautions-against-brute-forcing) security problem.
 
 ```ts
 export type RateLimiter = {

docs/content/2.middlewares/4.xss-validator.md

@@ -3,7 +3,9 @@ title: XSS Validator
 description: ''
 ---
 
-This middleware will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#perform-output-escaping) security problem. This middleware is based on https://github.com/leizongmin/js-xss
+This middleware works for both `GET`, `POST` methods and will throw an `400 Bad Request` error when the either body or query params will contain unsecure code. Based on <https://github.com/leizongmin/js-xss>
+
+It will help you solve [this](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#perform-output-escaping) security problem.
 
 ```ts
 export type XssValidator = {

docs/content/2.middlewares/5.cors-handler.md

@@ -3,7 +3,9 @@ title: CORS Handler
 description: ''
 ---
 
-This middleware will help you solve [this](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) security problem. This middleware is based on https://github.com/NozomuIkuta/h3-cors
+This middleware will help you set your CORS options. Based on <https://github.com/NozomuIkuta/h3-cors>
+
+This middleware will help you solve [this](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) security problem.
 
 ```ts
 export interface CorsOptions {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-security",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "license": "MIT",
   "type": "module",
   "homepage": "https://nuxt-security.vercel.app",
@@ -25,15 +25,16 @@
   },
   "dependencies": {
     "@nozomuikuta/h3-cors": "^0.1.5",
-    "@nuxt/kit": "^3.0.0-rc.11",
+    "@nuxt/kit": "^3.0.0-rc.12",
     "limiter": "^2.1.0",
+    "memory-cache": "^0.2.0",
     "xss": "^1.0.14"
   },
   "devDependencies": {
     "@nuxt/module-builder": "latest",
-    "@nuxt/schema": "^3.0.0-rc.11",
+    "@nuxt/schema": "^3.0.0-rc.12",
     "@nuxtjs/eslint-config-typescript": "latest",
     "eslint": "latest",
-    "nuxt": "^3.0.0-rc.11"
+    "nuxt": "^3.0.0-rc.12"
   }
 }

playground/nuxt.config.ts

@@ -5,4 +5,19 @@ export default defineNuxtConfig({
   modules: [
     MyModule
   ],
+  // security: {
+  //   headers: {
+  //     crossOriginResourcePolicy: {
+  //       value: "test",
+  //       route: '/**',
+  //     },
+  //   },
+  //   requestSizeLimiter: {
+  //     value: {
+  //       maxRequestSizeInBytes: 3000000,
+  //       maxUploadFileRequestInBytes: 9000000,
+  //     },
+  //     route: '/upload-file'
+  //   }
+  // }
 })