v2.1.5

🚨Hotfix Release : disable minification by default

This release fixes an issue reported in #576 whereby Nuxt UI v3 styles could break.
The issue was related to minification settings.

This release also deploys the new version of the documentation pages for Nuxt Security
Enjoy reading 📖

What's Changed

• Chore/2.1.4 by @vejja in #568
• docs-#558: refactor docs new version by @Baroshem in #560
• fix(docs): broken links by @aryan02420 in #574
• fix(loggers): do not set minify option by default by @vejja in #577

New Contributors

• @aryan02420 made their first contribution in #574

Full Changelog: v2.1.4...v2.1.5

2.1.4

compare changes

🩹 Hotfix Release: SRI for PrimeVue

This release introduces specific support for Subresource Integrity with PrimeVue

❤️ Contributors

• Lawren [email protected]

What's Changed

• chore(release): 2.1.3 by @vejja in #566
• fix: #564 resolves issue with element.replace on non-string elements by @lawren in #567

Full Changelog: v2.1.3...v2.1.4

2.1.3

🩹 Hotfix Release: Nonce for PrimeVue

This release introduces specific support for Nonce with PrimeVue

❤️ Contributors

• Lawren [email protected]

What's Changed

• chore(release): 2.1.2 by @vejja in #563
• fix: #564 resolves issue with element.replace on non-string elements by @lawren in #565

New Contributors

• @lawren made their first contribution in #565

Full Changelog: v2.1.2...v2.1.3

2.1.2

🚨Hotfix release: re-enable console.logs in dev mode

This release prevents the removal of console.log statements by Nuxt-Security in development mode.

Nuxt Security helps you ship safer applications by removing console.log statements when the removeLoggers option is set to true, which is the default value.
However, removing console.log statements by default also in development mode is causing our users to search why their logs are disappearing.

With this release, removeLoggers only removes console.log statements in production builds.

What's Changed

• fix(core): do not remove loggers in dev mode by @vejja in #561

Full Changelog: v2.1.1...v2.1.2

2.1.1

🛠️ Hotfix Release : Node 18 Compatibility

This hotfix release re-introduces support for Node 18.
Node 18 is the minimum requirement for all Nuxt 3 applications.

Full Changelog: v2.1.0...v2.1.1

2.1.0

2.1.0 🎉

This is a new minor version where we focused mainly on fixing bugs but we also introduced Continous Releases by Stackblitz!

Enjoy!

👉 Changelog
compare changes

❤️ Contributors

• @vejja
• @dungsil made their first contribution in #530
• @DamianGlowala
• @Baroshem

What's Changed

• docs: fix broken links by @dungsil in #530
• fix: devtools being blocked in strict mode by @dungsil in #531
• feat(csp): trusted types by @vejja in #529
• fix(sri): incorrect cdnUrl resolution by @vejja in #536
• docs: mention correct default value for COOP by @DamianGlowala in #543
• feat(core): Vite native method to remove loggers by @vejja in #534
• fix(core): do not create empty header entries in routeRules by @vejja in #539
• feat(core): crypto compatibility for Workers by @vejja in #547
• feat(core): Continuous Releases by @vejja in #549
• Revert "feat(core): Continuous Releases" by @vejja in #550
• feat(core): Continuous Releases by @vejja in #551
• chore(deps): bump vite from 5.2.8 to 5.4.11 by @dependabot in #552
• Chore/2.1.0 by @Baroshem in #532

New Contributors

• @dungsil made their first contribution in #530

Full Changelog: v2.0.0...v2.1.0

2.0.0

2.0.0 🎉

This is the new major version of the NuxtSecurity module. After nine release candidates versions, we are ready to present you this new amazing version 🚀

With it, we have updated many things that you can check out below in comparison to version 1.4.0.

Enjoy!

New features

As a part of this new release, there are several new features.

A+ Score by default

Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com
Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:

Performance optimization

We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio.
Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.

Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine 💚

All Nuxt modes

Security headers are now deployed in all Nuxt rendering modes:

• Universal
• Client-only
• Hybrid

See #441 for details.

OWASP compliance

We are updating our default security settings to conform with the latest OWASP default values for headers.
Users benefit from these updating settings out of the box, with no changes required.

See #450 for details.

Full Static Support

We are significantly improving application security for static websites:

• If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
• If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new prerenderedHeaders build-time hook that exposes all security headers for complete control of your server's headers.

🗞️ Next steps

We are planning a new release soon with the Nuxt DevTools Tab support 🚀

👉 Changelog
compare changes

❤️ Contributors

• @vejja
• @moshetanzer
• @hlhc
• @Simlor
• @dargmuesli
• @GalacticHypernova
• @Shana-AE
• @P4sca1
• @ThibaultVlacich

What's Changed

• feat(core): use virtual file system for SRI by @vejja in #435
• feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
• feat(docs): add security to docs by @vejja in #451
• perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
• fix(csp): ensure charset meta at top of head by @vejja in #449
• fix(docs): update FAQ section on --host mode by @vejja in #456
• feat(core) : owasp default values by @vejja in #450
• fix(core): spread storage options by @vejja in #452
• fix: remove navigate-to csp directive by @GalacticHypernova in #457
• fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
• Chore/2.0.0 rc.1 by @Baroshem in #448
• Update package version by @vejja in #461
• fix(core): rollup error by @vejja in #463
• fix(headers): fix default-src owasp value by @vejja in #464
• fix(headers): add default for connect-src by @vejja in #465
• feat(headers): explicit directives by @vejja in #466
• fix(rc): bump package version by @vejja in #467
• Chore/2.0.0-rc.6 by @vejja in #468
• add per route csrf to docs by @moshetanzer in #471
• fix(csp): inline script/style have whitespace character by @hlhc in #478
• feat(core): introduce strict mode by @vejja in #483
• fix(docs): csp denial of pinceau styles runtime hydration by @vejja in #484
• Typo fix in docs by @Simlor in #486
• Indentation corrected by @Simlor in #490
• feat(csp): support style nonce in development by @dargmuesli in #475
• feat-#487: local dev with nuxt devtools by @Baroshem in #488
• feat(doc): introduce Nuxt Scripts as alternative to useScript by @vejja in #485
• Clarified when "require-corp" is the default value (documentation change) by @Simlor in #493
• fix: ensure RegExp[] origin can be passed to appSecurityOptions by @Shana-AE in #498
• docs: update information about Nuxt Image by @P4sca1 in #503
• feat: support server-only (NuxtIsland) components by @P4sca1 in #502
• fix: update to latest @nuxt/module-builder by @ThibaultVlacich in #516
• fix: augment @nuxt/schema rather than nuxt/schema by @ThibaultVlacich in #520
• feat: support using regular expressions as CORS origin by @P4sca1 in #509
• Chore/2.0.0 by @Baroshem in #492

New Contributors

• @moshetanzer made their first contribution in #471
• @hlhc made their first contribution in #478
• @Simlor made their first contribution in #486
• @Shana-AE made their first contribution in #498
• @P4sca1 made their first contribution in #503
• @ThibaultVlacich made their first contribution in #516

2.0.0-rc.7

Support for #478

This new version updates the regular expressions in the 30-cspSsgHashes.ts file. The previous regular expression was not correctly capturing the content of inline script and style tags in all scenarios.

The old regular expression for inline scripts:

const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="[\w:.-\/]+")[^>]>(.*?)</script>/gi
The updated regular expression:

const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="[\w:.-\/]+")[^>]>([\s\S]?)</script>/gi;
The change from (.?) to ([\s\S]*?) ensures that the regular expression matches any character, including newlines, between the <script> and </script> tags. This change improves the accuracy of inline script content capture, ensuring that our CSP security hashes are correctly generated for all inline scripts.

What's Changed

• add per route csrf to docs by @moshetanzer in #471
• fix(csp): inline script/style have whitespace character by @hlhc in #478

New Contributors

• @moshetanzer made their first contribution in #471
• @hlhc made their first contribution in #478

Full Changelog: v2.0.0-rc.6...v2.0.0-rc.7

v2.0.0-rc.6

🩹 Fixes

Remove Experimental Permission-Policy values from default OWASP values.
This clears error warnings in Chrome

Full Changelog: v2.0.0-rc.5...v2.0.0-rc.6

v2.0.0-rc.5

Improved Security Score 🥇

We apply the Mozilla recommendations for CSP defaults

• deny by default with default-src 'none'
• allow on a directive-by-directive basis

Our Mozilla Score is now 120/100

Full Changelog: v2.0.0-rc.4...v2.0.0-rc.5