The module by default will register middlewares and route roules to make your application more secure. If you need, you can also modify or disable any of middlewares/routes if you do not need them or your project cannot use them (i.e. some Statically Generated websites will not be able to use middlewares).
You can add configuration to the module like following:
export default defineNuxtConfig({ security: { requestSizeLimiter: { value: { maxRequestSizeInBytes: 3000000, maxUploadFileRequestInBytes: 9000000, }, route: '/upload-file' } // Other options }})Each middleware configuration object is build using same TS type:
type MiddlewareConfiguration<MIDDLEWARE> = { value: MIDDLEWARE; route: string;}value is the value of certain header or middleware. It may be a simple string or an object depending on the method.route is the route that should this header or middleware be attached to. By default for routeRoules (headers) the route is /** and for middlewares is '' (empty string) -> global middleware.All module configuration is the following type:
interface ModuleOptions { headers: SecurityHeaders | false; requestSizeLimiter: MiddlewareConfiguration<RequestSizeLimiter> | false; rateLimiter: MiddlewareConfiguration<RateLimiter> | false; xssValidator: MiddlewareConfiguration<XssValidator> | false; corsHandler: MiddlewareConfiguration<CorsOptions> | false; allowedMethodsRestricter: MiddlewareConfiguration<AllowedHTTPMethods> | false; hidePoweredBy: boolean; basicAuth: MiddlewareConfiguration<BasicAuth> | boolean; enabled: boolean;}All above ModuleOptions are explained in more details in the next chapter
This module will by default set the following configuration options to enable middlewares and route roules:
security: { headers: { crossOriginResourcePolicy: { value: 'same-origin', route: '/**' }, crossOriginOpenerPolicy: { value: 'same-origin', route: '/**' }, crossOriginEmbedderPolicy: { value: 'require-corp', route: '/**' }, contentSecurityPolicy: { value: { 'base-uri': ["'self'"], 'font-src': ["'self'", 'https:', 'data:'], 'form-action': ["'self'"], 'frame-ancestors': ["'self'"], 'img-src': ["'self'", 'data:'], 'object-src': ["'none'"], 'script-src-attr': ["'none'"], 'style-src': ["'self'", 'https:', "'unsafe-inline'"], 'upgrade-insecure-requests': true }, route: '/**' }, originAgentCluster: { value: '?1', route: '/**' }, referrerPolicy: { value: 'no-referrer', route: '/**' }, strictTransportSecurity: { value: { maxAge: 15552000, includeSubdomains: true }, route: '/**' }, xContentTypeOptions: { value: 'nosniff', route: '/**' }, xDNSPrefetchControl: { value: 'off', route: '/**' }, xDownloadOptions: { value: 'noopen', route: '/**' }, xFrameOptions: { value: 'SAMEORIGIN', route: '/**' }, xPermittedCrossDomainPolicies: { value: 'none', route: '/**' }, xXSSProtection: { value: '0', route: '/**' } }, requestSizeLimiter: { value: { maxRequestSizeInBytes: 2000000, maxUploadFileRequestInBytes: 8000000, }, route: '', throwError?: true, }, rateLimiter: { // Twitter search rate limiting value: { tokensPerInterval: 150, interval: "hour", fireImmediately: true, }, route: '', throwError?: true, }, xssValidator: { value: {}, route: '', throwError?: true, }, corsHandler: { value: { origin: '*', methods: ['GET','HEAD','PUT','PATCH','POST','DELETE'], preflight: { statusCode: 204 } }, route: '', }, allowedMethodsRestricter: { value: '*', route: '', throwError?: true, }, hidePoweredBy: true, basicAuth: false, enabled: true,}To read more about every security middleware, go to that middleware page in middlewares section.
In order to make this module work with Nuxt DevTools add following configuration to your projects:
export default defineNuxtConfig({ modules: ['nuxt-security', '@nuxt/devtools'], security: { headers: { crossOriginEmbedderPolicy: { value: process.env.NODE_ENV === 'development' ? 'unsafe-none' : 'require-corp', route: '/**', } }, },});