1.0.0
1.0.0 🎉
1.0.0 is the stable release
After five release candidate versions, we are now ready to present you a stable 1.0.0 release of NuxtSecurity. We have spent a lot of time trying to stabilise the API while constantly improving the security by implementing features like:
- Strict Content Security Policy
- Improved Rate Limiter
- Subresource Integrity
- Nonce
- Per route Security headers configuration
- Documentation about improving security of your Nuxt app
From this point I would like to thank @vejja who did an amazing work delivering a lot of functionalities mentioned both above and below. You are a magician! 🚀
And also, huge kudos to all contributors 🎉
✅ Migration Guide (0.14.X -> 1.0.0)
We have tried our best not to include significant breaking changes in the recent stable 1.0.0 version but some changes were necessary to improve quality of the module. Don't worry, we have prepared a migration guide with all the changes and how you should approach when migrating your current application to be up to date with 1.0.0 :)
1. Modifed the structure for alllowedMethodsRestricter
In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.
export default defineNuxtConfig({
security: {
allowedMethodsRestricter: ['GET']
}
}Now it is configured like following:
export default defineNuxtConfig({
security: {
allowedMethodsRestricter: {
methods: ['GET'],
throwError?: true,
}
}
}This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.
2. Changed the disabled value for permissionsPolicy
In the previous version, if you wanted to disable certain API like camera you would do something like this:
export default defineNuxtConfig({
security: {
headers: {
permissionsPolicy: {
'camera': [()]
},
},
},
})Now it is configured like following:
export default defineNuxtConfig({
security: {
headers: {
permissionsPolicy: {
'camera': [] // This will block usage of camera by this website
},
},
},
})This change allows to fix an issue of passing several directives mentioned in #194
3. Changed the type of interval in rateLimiter
In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:
export default defineNuxtConfig({
security: {
rateLimiter: {
interval: 'hour' | 60000
}
}
})Now it is configured like following:
export default defineNuxtConfig({
security: {
rateLimiter: {
interval: 60000
}
}
})This change was required to migrate to an updated rateLimiter that supports modern examples.
4. Nonce value
In the previous version, nonce could be either an object with a type NonceOptions or false.
export type NonceOptions = {
enabled: boolean;
mode?: 'renew' | 'check';
value?: (() => string);
}Now it is only a boolean value:
export default defineNuxtConfig({
security: {
nonce: true | false
}
}This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce
5. Strict Content Security Policy by default
In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.
If you are experiencing some issues with CSP, check out the new documentation about it:
- Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
- Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp
🍾 New features
This PR introduces per-route configuration of security headers, via
defineNuxtConfig({
routeRules: {
[some-route]: {
security: {
headers : ...
}
}
}
})🗞️ Next steps
This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)
👉 Changelog
compare changes
🚀 Enhancements
- move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
- improve rateLimiter with support for unstorage (#190)
- remove console.logs after build (#128)
- add an include option for basicAuth (#219)
- option to disable hashing for SSG (#215)
- support for CRSF in Serverless Environments
- Add
credentiallessvalue toCross-Origin-Embedder-Policyheader - Export configuration type
- Improve CSP Compliance
- ensure csp plugins are added last
- Extend CSP support of SSG mode
- use cheerio HTML parser for CSP
- hashStyles option
- Strict CSP by default
- SRI hashes for SSG mode
- Subresource Integrity
- Per-route object based headers configuration
- Limiting CSP header to HTML responses only
- Migrate to Node 18.X
- Allow falling back to global options when per-route option is not provided
🩹 Fixes
- useCsrf() is undefined (#203)
- CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
- upgrade-insecure-requests cannot be turned off for static build (#214)
- invalid permission policy parser (#194)
- remove broken test for
nonce(#213) - Basic Auth Configuration for Multiple Paths
- Nonce value is injected in all pre-rendered pages if the
nonceoption is set totrue - failed to find a valid digest in the 'integrity' attribute
- Strict-Transport-Security as string not parsing max-age correctly
- Nuxt 3.8.1 breaks Subresource Integrity
- Unrecognized Content-Security-Policy directive 'undefined'
- Build fails because of removeLoggers
- allow csp value to be false
📖 Documentation
- refactor docs to be easier (#135)
- create faq section in docs from questions in Github issues (#192)
- security composable to use in pages (#217)
- Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (#218)
- custom CSP merger (#198)
- stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
- update 3.rate-limiter.md fix comma (#204)
- New section for Contributing
- New section for Usage
- Reorganised Navigation
- Added global Search
- New Homepage
- New section for Headers
- New section for utils
- Embedded Playground
- New page for Releases
- Migrated to newest docus
- New Preview Image
- Per Route Security configuration with headers
- Clarify rateLimiter
intervalproperty - Advanced documentation about Content Security Policy
- Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ
🏡 Chore
- remove legacy approach for middlewares in types and module.ts file (#191)
- bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
- Reorganized project repository for easier maintenance
- specify package manager (#225)
- do not use default export for defu (#224)
- Improve TS config
🤖 CI
- improved CI script for automatic unit tests for main, rc, and renovate branches
❤️ Contributors
- vejja (@vejja)
- Jonas Thelemann (@dargmuesli)
- Thomas Rijpstra (@trijpstra-fourlights)
- Nik (@n4an)
- Daniel Roe (@danielroe)
- Pooya Parsa (@pi0)
- Sébastien Chopin (@atinux)
- Mr. K V (@69u)
- Jonas Thelemann (@dargmuesli)
- Loïs (@Applelo)
- Max Druzhinin (@maxdzin)
- Fabricio Carvalho (@fabricioOak)
- nekotoriy (@nekotoriy)
- Insomnius (@insomnius)
- Boring Dragon (@boring-dragon)
- Espen Solli Grande (@espensgr)
- vejja (@vejja)
- Tristan (@Tristan971)
- nsratha (@rathahin)
- Geeky Shows (@geekyshow1)
What's Changed
- Update 3.rate-limiter.md fix comma by @insomnius in #204
- fix: remove broken test for
nonceby @trijpstra-fourlights in #213 - chore(package): specify manager by @dargmuesli in #225
- chore(defu): do not use default export by @dargmuesli in #224
- docs(configuration): add layer overriding instructions by @dargmuesli in #226
- ci: run on all pull requests and more branches by @dargmuesli in #223
- Add Missing commas inside the docs examples by @boring-dragon in #234
- chore: update
noncedocs aboutunsafe-inlineduring development by @trijpstra-fourlights in #240 - Add documentation for updating headers on a specific route by @fabricioOak in #242
- Chore/1.0.0 rc.1 by @Baroshem in #212
- Update 3.crossOriginEmbedderPolicy.md by @espensgr in #261
- Fix/nonce-ssg by @vejja in #245
- Ensure all types are exported by @Tristan971 in #264
- improve CSP compliance by @vejja in #257
- Fix/typescript-config by @vejja in #248
- fix(csp): ensure-plugins-last by @vejja in #271
- feat(csp): Extend CSP support of SSG mode by @vejja in #272
- Fix Basic Auth Configuration for Multiple Paths by @rathahin in #267
- feat(csp): use cheerio parser by @vejja in #275
- feat(csp): add hashStyles option for SSG by @vejja in #274
- Chore/1.0.0 rc.3 by @Baroshem in #262
- docs(csp): Documentation on CSP by @vejja in #282
- feat(csp): hashStyles option by @vejja in #278
- feat(sri): Subresource Integrity by @vejja in #285
- feat(csp): SRI hashes for SSG mode by @vejja in #287
- fix(headers): allow csp value to be
falseby @dargmuesli in #286 - feat(csp): Strict CSP by default by @vejja in #289
- chore/1.0.0-rc.4 by @Baroshem in #283
- docs: update route rules docs by @Baroshem in #296
- feat(chore): Headers per route by @vejja in #304
- Chore/1.0.0 rc.5 by @Baroshem in #311
- fix(csrf): replace CSRF option
falsewithbooleanby @Mohamed-Kaizen in #284 - feat(doc): extend FAQ with Prismic by @vejja in #316
- Fix(types): do not overwrite @nuxt/schema by @vejja in #320
- fix(chore): hidePoweredBy error by @vejja in #318
- fix: csp false in rc5 removes custom csp header by @vejja in #322
- improve implementation and add tests by @vejja in #323
- Documentation typo change from route roules to route rules by @eyopa21 in #325
- inject integrity attribute only on valid HTML elements by @vejja in #328
- Chore/1.0.0 by @Baroshem in #317
New Contributors
- @insomnius made their first contribution in #204
- @dargmuesli made their first contribution in #225
- @boring-dragon made their first contribution in #234
- @fabricioOak made their first contribution in #242
- @espensgr made their first contribution in #261
- @vejja made their first contribution in #245
- @rathahin made their first contribution in #267
- @Mohamed-Kaizen made their first contribution in #284
- @eyopa21 made their first contribution in #325
