1.4.0
1.4.0 🎉
This version is a significant rewrite of the core engine of Nuxt Security, motivated primarily by the introduction of runtime hooks in PR #298 by @huang-julien and comments thereon by @harlan-zw.
Huge kudos to @vejja for delivering this great functionality 💚
Full Route-Level Compatibility
This great addition by Sebastien is well detailed here #429 but as short summary can be seen below.
New features
-
All security options can now be modified via runtime hooks
It is now possible to modify any of the Nuxt Security options, and not solely the headers : any other option such as hidePoweredBy, rateLimiter, is now taken into consideration and applied at route level. -
Route rules are now consistently merged
The router merging strategy is now the same irrespective of the way the security options are set (inline, global, routeRules, and runtime hooks). Previously, it was a mix of defu, defuReplaceArray, and plain overwriting - leading to confusion on how nested rules would apply (see #430 for instance). We now apply the defuReplaceArray strategy across the board. -
Clear scoping of security headers to HTML pages, SWR support
We now make a clearer distinction between the scope of Nitro plugins (modifying HTML pages and their headers) and the scope of Server middlewares (functions that apply to all routes). This avoids to overwrite headers of non-HTML assets with irrelevant options, and as a result we are able to support SWR natively. -
Route-level support of RateLimiter
Thanks to the ability to resolveSecurityRoutes at runtime, we are now able to support route-based definitions for the Rate Limiter. This solves the issue of getting 429 denials for routes where we want to have a higher rate limit. We also take this opportunity to solve the issue of getting 429s when pre-rendering.
New runtime hook
This PR introduces a new runtime hook : nuxt-security:routeRules
, that allows to modify any security rule on any route. With this hook, the user is now able to apply any strategy for the rule (merge, overwrite, append, etc.).
nitroApp.hooks.hook('nuxt-security:routeRules', async routeRules => {
// any kind of modification of routeRules here, such as :
routeRules['/my-route'] = ...
})
The former nuxt-security:ready & nuxt-security:headers hooks are still supported but we are soft-depecrating them by removing them from the documentation.
Additional notes
This version also soft-deprecates the substitution merging via string syntax feature. This is now rendered unnecessary because the defuReplaceArray strategy is applied consistently everywhere.
We are removing corresponding mentions in the documentation, which were confusing (it only applied to headers, and it only applied in the router merging step but not in the definition step). The feature still exists to maintain backwards compatibility.
Please note that some security options can only be applied globally (removeLoggers, csrf and basicAuth) because they depend on third-party modules. The TypeScript definitions have been updated to remove these 3 options from the properties that can be set at route-level.
🗞️ Next steps
We are planning a new release soon with the Nuxt DevTools Tab support 🚀
👉 Changelog
compare changes
❤️ Contributors
- @vejja
- @Jesse1989pp made their first contribution
- @Dominic-Marcelino made their first contribution
- @snepsnepy made their first contribution
What's Changed
- Vejja/issue413 by @vejja in #414
- update(doc): recommend useScript for Nuxt 3.11+ by @vejja in #403
- chore: bump unplugin-remove to fix sourcemap warnings by @Jesse1989pp in #420
- Update 1.csp.md - FIX comparison in docs by @Dominic-Marcelino in #424
- Fixed small typo found in the documentation by @snepsnepy in #431
- feat(core): unified router context by @vejja in #429
- Closes #269 : Rate Limiter is now disabled when building with SSG
- Closes #281 : Rate Limiter now records requests at the route level
- Closes #300: All security options are now configurable via the new runtime hook
- Closes #385 : All security options are now resolved with the same merging strategy
- Closes #392 : Rate Limiter now supports any endpoint, including /api routes
- Closes #428 : SWR is now natively supported
- Closes #430 : There is no need to use string syntax anymore to overwrite higher-level rules
- Closes #432 : The function insertNonceInCsp now correctly handles boolean value for CSP directives