[Feature Request]: expose generated security headers at build time

[mtdvlpr]

Is your feature request related to a problem? Please describe.

I use SSG and I want to be able to extract the generated security headers (especially the csp with defined integrity hashes), so that I can write those headers to an nginx configuration file before deploying the static build output to my nginx server.

Describe the solution you'd like

I'm not sure how this feature can be implemented best, but here are some vague ideas I have:

• Fix 05-cspSsgPresets.ts somehow
• Write the headers to a file so a user can read the file and use it's content
• Provide a hook that exposes the headers once they are generated for a user to hook into (similar to the nitro compiled hook)

Describe alternatives you've considered

I tried to use the runtime hooks feature introduced in v1.1.0, but this didn't work.

Another solution for me would be to calculate the integrity hashes myself in some script and then use those values to create my header configuration, but it makes more sense to use this module, because it also forces the header values in dev mode, so they can be tested and it gives some common sense defaults that I wouldn't have to configure manually.

Additional context

Related to #336.

[Baroshem]

Hey @mtdvlpr

Could you explain why the 1.1.0 version with the runtime does not work?

[Baroshem]

Hey @mtdvlpr any feedback from your side? :)

[mtdvlpr]

Hi @Baroshem, as the name suggests, it only works for runtime, not buildtime. When I'm generating static output, the runtime hook is never called.

[Baroshem]

Apologies, I missed that

@vejja do you maybe have some ifeas on how this can be delivered?

[vejja]

Hi all
We disabled 05-cspSsgPresets when we had the issue about @nuxt/kit that couldn't be imported anymore #348
I'll have a look into this as I would need the same feature myself, will let you guys know later this week

[vejja]

@mtdvlpr see PR #441

[mtdvlpr]

@vejja awesome! Thanks so much!

[vejja]

Hey @mtdvlpr
For now I'm only writing the headers to the route config so that they can be picked up by the Nitro presets.
But I remember you were looking for a hook, I did not implement that yet but it will definitely be possible.

How do you view this hook working ? I suppose you want to run nuxi generate and somewhere within that process do something with the headers, but I'm not 100% sure if that's correct.
Can you let me know a bit more about your use case and how you would use the hook ?

[mtdvlpr]

Indeed. I want to get the headers during the nuxi generate process so that I can create my nginx config file with the proper headers, but if the nitro preset feature is restored, I can revert back to using that, so for me the problem would be fixed.

[vejja]

Where would you write the code that creates the Nginx conf file in your Nuxt application, would that be in a Nitro plugin ?
How do you make sure the config file is created in a place that gets bundled into the final static output?

[mtdvlpr]

@vejja, I have a Nitro plugin that reads the headers from the routeRules and writes them to a file using node:fs. In my CICD pipeline I combine the generated config file and the nuxt output and upload that to the server.

[vejja]

@mtdvlpr @Baroshem - I am adding the hook functionality to the PR, on top of the nitro preset feature.

I'm adding it by way of a Nuxt build time hook, rather than a Nitro run time hook.
The difference is that a Nitro runtime hook would run each time the server is restarted, while the Nuxt build time hook only runs when you generate the assets with nuxi.
Also, with the Nuxt build time hook, there is no need to write a Nitro plugin. You can access the hook directly in defineNuxtConfig.

[Baroshem]

That is a great idea @vejja Thanks!

Let's plan it for the 2.0.0-rc.1 release :)