Security configuration for application that runs on multiple domains

[Gonzo17]

Hey guys,

I have the following use case. I'm going to build a frontend which will be used for a website in many different countries. Each country has it's own domain. Handling the requests depending on the country/domain is not a problem. What I wonder now is how I can handle security configurations for different domains.

Let me give you one specific example. Let's say I'm using a 3rd-party tool that will do some requests on it's own. For that to work I need to configure my CSP. But it might happen, that the 3rd-party tool requests different domains depending on the country I am in. Let's say for US it will call www.thirdparty.com while for China it calls www.somethingelse.cn. What is the best way to set the configuration?

Some ideas I had:

• I could provide a "one-for-all" security configuration which contains the CSP for all cases (is that a bad practice?)
• I could run one frontend instance per country/domain (seems way too much overhead)

[Baroshem]

Hey there,

Very good question. I would say that having one CSP for all is a good choice. It will help you avoid multiple different configurations and a need to update several configs if you start using another third party globally (like an digital asset management for example).

But maybe you could use the Nuxt Runtime Config to provide differetnt configuration for different domains?

[Gonzo17]

But maybe you could use the Nuxt Runtime Config to provide differetnt configuration for different domains?

That's what I meant with "one frontend instance per domain", it would be possible for sure. Regarding the architecture and scaling that doesn't feel very good.

I would say that having one CSP for all is a good choice. It will help you avoid multiple different configurations and a need to update several configs if you start using another third party globally (like an digital asset management for example).

I think that will be my approach. In the end, I guess only 2-3% of the configuration will be domain-specific, the rest should be the same for all domains.

I thought about a new feature for this module: The possibility to define several "profiles" that can be changed dynamically. But I guess that will be overkill for my use case since I don't see any possible conflicting configurations.

Thanks for your reply!