Configuration | nuxt-security

The module by default will register middlewares and route roules to make your application more secure. If you need, you can also modify or disable any of middlewares/routes if you do not need them or your project cannot use them (i.e. some Statically Generated websites will not be able to use middlewares).

Configuration Types

export type MiddlewareConfiguration<MIDDLEWARE> = {  value: MIDDLEWARE;  route: string;}

export interface ModuleOptions {  headers: SecurityHeaders | boolean;  requestSizeLimiter: MiddlewareConfiguration<RequestSizeLimiter> | boolean;  rateLimiter: MiddlewareConfiguration<RateLimiter> | boolean;  xssValidator: MiddlewareConfiguration<XssValidator> | boolean;  corsHandler: MiddlewareConfiguration<CorsOptions> | boolean;  allowedMethodsRestricter: MiddlewareConfiguration<AllowedHTTPMethods> | boolean;  hidePoweredBy: boolean;  basicAuth: MiddlewareConfiguration<BasicAuth> | boolean;}

Default configuration

This module will by default set the following configuration options to enable middlewares:

security: {  headers: {    crossOriginResourcePolicy: {      value: "same-origin",      route: '/**',    },    crossOriginOpenerPolicy: {      value: "same-origin",      route: '/**',    },    crossOriginEmbedderPolicy: {      value: "require-corp",      route: '/**',    },    contentSecurityPolicy: {      value:        "base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",      route: '/**',    },    originAgentCluster: {      value: "?1",      route: '/**',    },    referrerPolicy: {      value: "no-referrer",      route: '/**',    },    strictTransportSecurity: {      value: "max-age=15552000; includeSubDomains",      route: '/**',    },    xContentTypeOptions: {      value: "nosniff",      route: '/**',    },    xDNSPrefetchControl: {      value: "off",      route: '/**',    },    xDownloadOptions: {      value: "noopen",      route: '/**',    },    xFrameOptions: {      value: "SAMEORIGIN",      route: '/**',    },    xPermittedCrossDomainPolicies: {      value: "none",      route: '/**',    },    xXSSProtection: {      value: 0,      route: '/**',    },  },  requestSizeLimiter: {    value: {      maxRequestSizeInBytes: 2000000,      maxUploadFileRequestInBytes: 8000000,    },    route: '',  },  rateLimiter: {    // Twitter search rate limiting    value: {      tokensPerInterval: 150,      interval: "hour",      fireImmediately: true,    },    route: '',  },  xssValidator: {    value: {},    route: '',  },  corsHandler: {    value: {      origin: '*',      methods: ['GET','HEAD','PUT','PATCH','POST','DELETE'],      preflight: {        statusCode: 204      }    },    route: '',  },  allowedMethodsRestricter: {    value: '*',    route: '',  },  hidePoweredBy: true,  basicAuth: false}

To read more about every security middleware, go to that middleware page in middlewares section.