1.0.0

[Baroshem]

1.0.0 🎉

1.0.0 is the stable release

After five release candidate versions, we are now ready to present you a stable 1.0.0 release of NuxtSecurity. We have spent a lot of time trying to stabilise the API while constantly improving the security by implementing features like:

• Strict Content Security Policy
• Improved Rate Limiter
• Subresource Integrity
• Nonce
• Per route Security headers configuration
• Documentation about improving security of your Nuxt app

From this point I would like to thank @vejja who did an amazing work delivering a lot of functionalities mentioned both above and below. You are a magician! 🚀

And also, huge kudos to all contributors 🎉

✅ Migration Guide (0.14.X -> 1.0.0)

We have tried our best not to include significant breaking changes in the recent stable 1.0.0 version but some changes were necessary to improve quality of the module. Don't worry, we have prepared a migration guide with all the changes and how you should approach when migrating your current application to be up to date with 1.0.0 :)

1. Modifed the structure for alllowedMethodsRestricter

In the previous version, alllowedMethodsRestricter was an array of HTTP methods or '*' for all methods.

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: ['GET']
  }
}

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    allowedMethodsRestricter: {
      methods: ['GET'],
      throwError?: true,
    }
  }
}

This change allows to pass a throwError property that can be useful to return an error response rather than throwing a default Nuxt error.

2. Changed the disabled value for permissionsPolicy

In the previous version, if you wanted to disable certain API like camera you would do something like this:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [()]
      },
    },
  },
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    headers: {
      permissionsPolicy: {
        'camera': [] // This will block usage of camera by this website
      },
    },
  },
})

This change allows to fix an issue of passing several directives mentioned in #194

3. Changed the type of interval in rateLimiter

In the previous version, if you wanted to set the interval for your rateLimiter you would do something like this:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 'hour' | 60000
    }
  }
})

Now it is configured like following:

export default defineNuxtConfig({
  security: {
    rateLimiter: {
      interval: 60000
    }
  }
})

This change was required to migrate to an updated rateLimiter that supports modern examples.

4. Nonce value

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce

5. Strict Content Security Policy by default

In this version, we have updated ContentSecurityConfiguration by a mile, specifically we have enabled strict CSP by default to spread good security practices.

If you are experiencing some issues with CSP, check out the new documentation about it:

1. Basic CSP usage -> https://nuxt-security.vercel.app/documentation/headers/csp
2. Advanced & Strict CSP -> https://nuxt-security.vercel.app/documentation/advanced/strict-csp

🍾 New features

This PR introduces per-route configuration of security headers, via

defineNuxtConfig({
  routeRules: {
    [some-route]: {
      security: {
        headers : ...
      }
    }
  }
})

🗞️ Next steps

This is the last release candidate version. In the next weeks we are planning to release stable 1.0.0 version :)

👉 Changelog
compare changes

🚀 Enhancements

• move logic of Static plugins to the top of module.ts to decrease the amount of code for SSG apps
• improve rateLimiter with support for unstorage (improve rateLimiter with support for unstorage #190)
• remove console.logs after build (Remove console.logs after build #128)
• add an include option for basicAuth (Add an include option for basicAuth #219)
• option to disable hashing for SSG (Option to disable hashing for SSG #215)
• support for CRSF in Serverless Environments
• Add credentialless value to Cross-Origin-Embedder-Policy header
• Export configuration type
• Improve CSP Compliance
• ensure csp plugins are added last
• Extend CSP support of SSG mode
• use cheerio HTML parser for CSP
• hashStyles option
• Strict CSP by default
• SRI hashes for SSG mode
• Subresource Integrity
• Per-route object based headers configuration
• Limiting CSP header to HTML responses only
• Migrate to Node 18.X
• Allow falling back to global options when per-route option is not provided

🩹 Fixes

• useCsrf() is undefined (useCsrf() is undefined #203)
• CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto (CSRF tokens cause breakage on build using serverless environments due to incompatible exports of Node Crypto #167)
• upgrade-insecure-requests cannot be turned off for static build (fix: upgrade-insecure-requests cannot be turned off for static build #214)
• invalid permission policy parser (Invalid permission policy parser #194)
• remove broken test for nonce (fix: remove broken test for nonce #213)
• Basic Auth Configuration for Multiple Paths
• Nonce value is injected in all pre-rendered pages if the nonce option is set to true
• failed to find a valid digest in the 'integrity' attribute
• Strict-Transport-Security as string not parsing max-age correctly
• Nuxt 3.8.1 breaks Subresource Integrity
• Unrecognized Content-Security-Policy directive 'undefined'
• Build fails because of removeLoggers
• allow csp value to be false

📖 Documentation

• refactor docs to be easier ([Docs] Refactor docs to be easier #135)
• create faq section in docs from questions in Github issues (Create faq section in docs from questions in Github issues #192)
• security composable to use in pages (Security composable to use in pages #217)
• Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (Content-Security-Policy: The page’s settings blocked the loading of a resource at inline #218)
• custom CSP merger ([rfc] layers: custom CSP merger #198)
• stripe blocked by 'Cross-Origin-Embedder-Policy' (Stripe blocked by 'Cross-Origin-Embedder-Policy' #229)
• update 3.rate-limiter.md fix comma (Update 3.rate-limiter.md fix comma #204)
• New section for Contributing
• New section for Usage
• Reorganised Navigation
• Added global Search
• New Homepage
• New section for Headers
• New section for utils
• Embedded Playground
• New page for Releases
• Migrated to newest docus
• New Preview Image
• Per Route Security configuration with headers
• Clarify rateLimiter interval property
• Advanced documentation about Content Security Policy
• Cross-Origin-Resource-Policy header Error on Paypal Checkout -> FAQ

🏡 Chore

• remove legacy approach for middlewares in types and module.ts file (Remove legacy approach for middlewares in types and module.ts file #191)
• bump packages to newer versions (Bump packages to newer versions #183) -> Nuxt 3.2 -> 3.7
• Reorganized project repository for easier maintenance
• specify package manager (chore(package): specify manager #225)
• do not use default export for defu (chore(defu): do not use default export #224)
• Improve TS config

🤖 CI

• improved CI script for automatic unit tests for main, rc, and renovate branches

❤️ Contributors

• vejja (@vejja)
• Jonas Thelemann (@dargmuesli)
• Thomas Rijpstra (@trijpstra-fourlights)
• Nik (@n4an)
• Daniel Roe (@danielroe)
• Pooya Parsa (@pi0)
• Sébastien Chopin (@atinux)
• Mr. K V (@69u)
• Jonas Thelemann (@dargmuesli)
• Loïs (@Applelo)
• Max Druzhinin (@maxdzin)
• Fabricio Carvalho (@fabricioOak)
• nekotoriy (@nekotoriy)
• Insomnius (@insomnius)
• Boring Dragon (@boring-dragon)
• Espen Solli Grande (@espensgr)
• vejja (@vejja)
• Tristan (@Tristan971)
• nsratha (@rathahin)
• Geeky Shows (@geekyshow1)

What's Changed

• Update 3.rate-limiter.md fix comma by @insomnius in Update 3.rate-limiter.md fix comma #204
• fix: remove broken test for nonce by @trijpstra-fourlights in fix: remove broken test for nonce #213
• chore(package): specify manager by @dargmuesli in chore(package): specify manager #225
• chore(defu): do not use default export by @dargmuesli in chore(defu): do not use default export #224
• docs(configuration): add layer overriding instructions by @dargmuesli in docs(configuration): add layer overriding instructions #226
• ci: run on all pull requests and more branches by @dargmuesli in ci: run on all pull requests and more branches #223
• Add Missing commas inside the docs examples by @boring-dragon in Add Missing commas inside the docs examples #234
• chore: update nonce docs about unsafe-inline during development by @trijpstra-fourlights in chore: update nonce docs about unsafe-inline during development #240
• Add documentation for updating headers on a specific route by @fabricioOak in Add documentation for updating headers on a specific route #242
• Chore/1.0.0 rc.1 by @Baroshem in Chore/1.0.0 rc.1 #212
• Update 3.crossOriginEmbedderPolicy.md by @espensgr in Update 3.crossOriginEmbedderPolicy.md #261
• Fix/nonce-ssg by @vejja in Fix/nonce-ssg #245
• Ensure all types are exported by @Tristan971 in Ensure all types are exported #264
• improve CSP compliance by @vejja in improve CSP compliance #257
• Fix/typescript-config by @vejja in Fix/typescript-config #248
• fix(csp): ensure-plugins-last by @vejja in fix(csp): ensure-plugins-last #271
• feat(csp): Extend CSP support of SSG mode by @vejja in feat(csp): Extend CSP support of SSG mode #272
• Fix Basic Auth Configuration for Multiple Paths by @rathahin in Fix Basic Auth Configuration for Multiple Paths #267
• feat(csp): use cheerio parser by @vejja in feat(csp): use cheerio parser #275
• feat(csp): add hashStyles option for SSG by @vejja in feat(csp): add hashStyles option for SSG #274
• Chore/1.0.0 rc.3 by @Baroshem in Chore/1.0.0 rc.3 #262
• docs(csp): Documentation on CSP by @vejja in docs(csp): Documentation on CSP #282
• feat(csp): hashStyles option by @vejja in feat(csp): hashStyles option #278
• feat(sri): Subresource Integrity by @vejja in feat(sri): Subresource Integrity #285
• feat(csp): SRI hashes for SSG mode by @vejja in feat(csp): SRI hashes for SSG mode #287
• fix(headers): allow csp value to be false by @dargmuesli in fix(headers): allow csp value to be false #286
• feat(csp): Strict CSP by default by @vejja in feat(csp): Strict CSP by default #289
• chore/1.0.0-rc.4 by @Baroshem in chore/1.0.0-rc.4 #283
• docs: update route rules docs by @Baroshem in docs: update route rules docs #296
• feat(chore): Headers per route by @vejja in feat(chore): Headers per route #304
• Chore/1.0.0 rc.5 by @Baroshem in Chore/1.0.0 rc.5 #311
• fix(csrf): replace CSRF option false with boolean by @Mohamed-Kaizen in fix(csrf): replace CSRF option false with boolean #284
• feat(doc): extend FAQ with Prismic by @vejja in feat(doc): extend FAQ with Prismic #316
• Fix(types): do not overwrite @nuxt/schema by @vejja in Fix(types): do not overwrite @nuxt/schema #320
• fix(chore): hidePoweredBy error by @vejja in fix(chore): hidePoweredBy error #318
• fix: csp false in rc5 removes custom csp header by @vejja in fix: csp false in rc5 removes custom csp header #322
• improve implementation and add tests by @vejja in improve implementation and add tests #323
• Documentation typo change from route roules to route rules by @eyopa21 in Documentation typo change from route roules to route rules #325
• inject integrity attribute only on valid HTML elements by @vejja in inject integrity attribute only on valid HTML elements #328
• Chore/1.0.0 by @Baroshem in Chore/1.0.0 #317

New Contributors

• @insomnius made their first contribution in Update 3.rate-limiter.md fix comma #204
• @dargmuesli made their first contribution in chore(package): specify manager #225
• @boring-dragon made their first contribution in Add Missing commas inside the docs examples #234
• @fabricioOak made their first contribution in Add documentation for updating headers on a specific route #242
• @espensgr made their first contribution in Update 3.crossOriginEmbedderPolicy.md #261
• @vejja made their first contribution in Fix/nonce-ssg #245
• @rathahin made their first contribution in Fix Basic Auth Configuration for Multiple Paths #267
• @Mohamed-Kaizen made their first contribution in fix(csrf): replace CSRF option false with boolean #284
• @eyopa21 made their first contribution in Documentation typo change from route roules to route rules #325

---

This discussion was created from the release 1.0.0.