1.0.0-rc.4

1.0.0-rc.4 is the next release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions before a stable 1.0.0 version will be released.

✅ Migration Guide

This version may include ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.

If you are experiencing some issues with CSP, check out the new documentation about it:

1. Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
2. Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp

👉 Changelog
compare changes

🚀 Enhancements

• hashStyles option
• Strict CSP by default
• SRI hashes for SSG mode
• Subresource Integrity

🩹 Fixes

• allow csp value to be false

📖 Documentation

• Advanced documentation about Content Security Policy
• Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ

⚠️ Breaking Changes

• Strict CSP

❤️ Contributors

• vejja (@vejja)
• Jonas Thelemann (@dargmuesli)
• Geeky Shows (@geekyshow1)

1.0.0-rc.3

1.0.0-rc.3 is the next release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

✅ Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce

👉 Changelog
compare changes

🚀 Enhancements

• Add credentialless value to Cross-Origin-Embedder-Policy header
• Export configuration type
• Improve CSP Compliance
• ensure csp plugins are added last
• Extend CSP support of SSG mode
• use cheerio HTML parser for CSP

🩹 Fixes

• Basic Auth Configuration for Multiple Paths
• Nonce value is injected in all pre-rendered pages if the nonce option is set to true

📖 Documentation

• Clarify rateLimiter interval property

🏡 Chore

• Improve TS config

⚠️ Breaking Changes

• CSP Compliance

❤️ Contributors

• Espen Solli Grande (@espensgr)
• vejja (@vejja)
• Tristan (@Tristan971)
• Jonas Thelemann (@dargmuesli)
• nsratha (@rathahin)

🏋️‍♂️ New Contributors

• @espensgr made their first contribution in #261
• @vejja made their first contribution in #245
• @rathahin made their first contribution in #267

1.0.0-rc.1

1.0.0-rc.1 is the first release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

✅ Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

Modifed the structure for alllowedMethodsRestricter

In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: ['GET']
  }
}

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: {
      methods: ['GET'],
      throwError?: true,
    }
  }
}

This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.

Changed the disabled value for permissionsPolicy

In the previous version, if you wanted to disable certain API like camera you would do something like this:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [()]
      },
    },
  },
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [] // This will block usage of camera by this website
      },
    },
  },
})

This change allows to fix an issue of passing several directives mentioned in #194

Changed the type of interval in rateLimiter

In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 'hour' | 60000
    }
  }
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 60000
    }
  }
})

This change was required to migrate to an updated rateLimiter that supports modern examples.

👉 Changelog
compare changes

🚀 Enhancements

• move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
• improve rateLimiter with support for unstorage (#190)
• remove console.logs after build (#128)
• add an include option for basicAuth (#219)
• option to disable hashing for SSG (#215)
• support for CRSF in Serverless Environments

🩹 Fixes

• useCsrf() is undefined (#203)
• CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (#167)
• upgrade-insecure-requests cannot be turned off for static build (#214)
• invalid permission policy parser (#194)
• remove broken test for nonce (#213)

📖 Documentation

• refactor docs to be easier (#135)
• create faq section in docs from questions in Github issues (#192)
• security composable to use in pages (#217)
• Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (#218)
• custom CSP merger (#198)
• stripe blocked by 'Cross-Origin-Embedder-Policy' (#229)
• update 3.rate-limiter.md fix comma (#204)
• New section for Contributing
• New section for Usage
• Reorganised Navigation
• Added global Search
• New Homepage
• New section for Headers
• New section for utils
• Embedded Playground
• New page for Releases
• Migrated to newest docus
• New Preview Image

🏡 Chore

• remove legacy approach for middlewares in types and module.ts file (#191)
• bump packages to newer versions (#183) -> Nuxt 3.2 -> 3.7
• Reorganized project repository for easier maintenance
• specify package manager (#225)
• do not use default export for defu (#224)

🤖 CI

• improved CI script for automatic unit tests for main, rc, and renovate branches

⚠️ Breaking Changes

• Permissions Policy
• Allowed Methods Restricter

❤️ Contributors

• Nik (@n4an)
• Daniel Roe (@danielroe)
• Thomas Rijpstra (@trijpstra-fourlights)
• Pooya Parsa (@pi0)
• Sébastien Chopin (@atinux)
• Mr. K V (@69u)
• Jonas Thelemann (@dargmuesli)
• Loïs (@Applelo)
• Max Druzhinin (@maxdzin)
• Fabricio Carvalho (@fabricioOak)
• nekotoriy (@nekotoriy)
• vejja (@vejja)
• Insomnius (@insomnius)
• Boring Dragon (@boring-dragon)

🏋️‍♂️ New Contributors

• @insomnius made their first contribution in #204
• @dargmuesli made their first contribution in #225
• @boring-dragon made their first contribution in #234
• @fabricioOak made their first contribution in #242

v0.14.4

What's Changed

• fix #185: errors in xss validation by @Baroshem in #186
• Add throwError?: boolean to types that need it by @csprance in #189
• docs: added trpc-nuxt configuration section by @kouts in #201

New Contributors

• @csprance made their first contribution in #189
• @kouts made their first contribution in #201

Full Changelog: v0.14.2...v0.14.4

0.14.2

What's Changed

• fix: nonce and ssg usage by @trijpstra-fourlights in #181

Full Changelog: v0.14.1...v0.14.2

0.14.1

What's Changed

• fix: nonce quirks when using ssr by @trijpstra-fourlights in #177
• fix: csp ssg by @Baroshem in #179

Full Changelog: v0.14.0...v0.14.1

0.14.0

What's Changed

• feat: add nonce support to csp by @trijpstra-fourlights in #171

New Contributors

• @trijpstra-fourlights made their first contribution in #171

Full Changelog: v0.13.1...v0.14.0

0.13.1

What's Changed

• docs: fix typo by @lanluartes in #139
• fix(docs): default value for Permissions-Policy by @tmlmt in #148
• Install options by @Droutin in #143
• feat: basic auth exclude routes option by @alexbidenko1998 in #145
• fix: add compatibility for modern module resolutions by @kyranet in #157

New Contributors

• @lanluartes made their first contribution in #139
• @tmlmt made their first contribution in #148
• @Droutin made their first contribution in #143
• @alexbidenko1998 made their first contribution in #145
• @kyranet made their first contribution in #157

Full Changelog: v0.13.0...v0.13.1

0.13.0

🚨 Breaking Changes

This Release introduces a new approach to registering security headers and middlewares by using the routeRules. I tried my best to provide backward compatibility but you may experience issues in your projects.

Basically, the configuration provided in security object in nuxt.config.ts is now used as a global configuration while any per-route configuration is now handled by routeRules.

Check out the docs to see the changes: https://nuxt-security.vercel.app/getting-started/configuration

What's Changed

• fix: basic auth by @Baroshem in #126
• feat: #109 routeRules support by @Baroshem in #129
• feat: #116 add vitest tests by @Baroshem in #131
• 0.13.0 by @Baroshem in #130

Full Changelog: v0.12.0...v0.13.0

0.12.0

What's Changed

• feat: #114 migrate cors by @Baroshem in #119
• feat: #118 cors default origin by @Baroshem in #120
• feat: #117 add permisions policy by @Baroshem in #121

Full Changelog: v0.11.0...v0.12.0