The corsHandler is not reflected. Defaults take preference.

[myaaaapon]

This handy module has saved me a lot of time on my security !!
I always appreciate your developments 😊

I have three questions and suggestions.

node v20.16.0
[email protected]
[email protected]

1, Information on js/css default values in the documentation.

It seems that the header values are different for HTML and the rest of the files.
I have spent a lot of time mistaking this for a bug...😢
I think it would be more helpful to mention this in the documentation.

Defaults
・Mentioned below. #434

2, Header settings under the backend and js/css header settings in the frontend are the same

By default, the header settings are the same as the front-end js/css files, even though the files are under the back-end /server/api.
Sorry...I am not very familiar with this. but is this a security issue?

Mentioned below. #434

3, corsHandler settings are not applied. Is this a bug?

I want to set Access-Control-Allow-Origin: http://localhost:3000. Document CORS Handler

If it is as follows, it is not applied.

# nuxt.config.ts
# This is a problem.

export default {
    routeRules: {
        '/api/**': {
            security: {
                corsHandler: {
                    // but the default settings take precedence. This means that the following will happen.
                    // Access-Control-Allow-Origin: *
                    origin: 'http://localhost:3000'
                },
            },
        }
    },
}

It will be applied if you do the following.

# nuxt.config.ts
# It worked.

export default {
    routeRules: {
        '/api/**': {
            security: {
                corsHandler: false
            },
            headers: {
                // It worked...
                // Access-Control-Allow-Origin: http://localhost:3000
                'Access-Control-Allow-Origin': 'http://localhost:3000'
            }
        }
    },
}

I would like default values for methods other than origin, allowHeaders and other items.
In other words, how can I make only origin a unique setting?
Or is this my mistake..?

[vejja]

Hi @myaaaapon

You are right that we do not apply the same settings to HTML resources, JS/CSS files and backend routes.
This is documented here : https://nuxt-security.vercel.app/documentation/advanced/security-headers
Maybe the documentation is not clear enough. Let us know how if you have suggestions for reorganizing the docs.

The logic is basically the following :

• some security headers are only valid for HTML resources (e.g. Content Security Policy, Permissions Policy)
• all other security headers are valid for all resources (e.g Strict Transport Security), so this includes HTML, JS/CSS, and backend routes
• middlewares only apply to backend routes

JS/CSS files (and all other static files) are delivered differently whether you are using SSR (delivered by the Nuxt server) or SSG (delivered by your CDN or your custom static server). If you have difficulty understanding the headers of your JS/CSS files, let me know your server setup so that I can further guide you.

As far as the CORS handler is concerned, I’ll have a look at how we resolve the rules and let you know here
Cheers

[Baroshem]

Hey @myaaaapon any feedback from your side? Is there anything we could do to improve the documenation? :)

[myaaaapon]

Hi @vejja

Thank you for your detailed answer 😊

I had missed your advanced settings...

• Security Headers

This gave me a good understanding of the difference between HTML and the headers of the rest of the file.
It helped me a lot. Thank you.

If any policy on CORS Handler has been decided on your end,
I would be grateful if you could share it with me.

---

Hi @Baroshem
Maybe, like me, "The default header values for js/css files and files under /api are not set!" and someone might mistake this as a bug, I felt it would be easier to understand if there was a link or something in the 'default configuration' page. 🤔

• Configration
• Security Headers

addition

I found an mistake in the documentation.

• URL: Allowed HTTP Methods

- type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'POST' | string;

# Perhaps the following is correct.
+ type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'PUT' | string;

Alternatively, since the default value for CORS Handler is the following, I think the default value identical to the following might be fine.
What do you think?

• cors-handler - ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE']

# I think this is also good.
+ type HTTPMethod = 'GET' | 'HEAD' | 'PUT' | 'PATCH' | 'POST' | 'DELETE' | string;

---

@vejja @Baroshem
Finally, thank you for your very polite and prompt reply.
I used to be in trouble, but you have helped me a lot 😊

[Baroshem]

@myaaaapon Thanks for the extensive research from your side!

Would you be interested in contributing to the project with the bugfixes you mentioned? I will be more than happy to help you :)

[Baroshem]

Hey @myaaaapon bumping the topic above :)