-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nuxt-security
breaks the app on Cloudflare Pages
#137
Comments
nuxt-security
breaks the app on Cloudflare Pages
Hey, thanks for reporting this issue! I will take a look at it in the upcoming days :) |
@Baroshem Thanks for that :) |
I am currently investigating this issue but I have a question about the API endpoints. Could you tell me what do you mean that they are breaking? Like do you get a certain error when running them or something esle breaks? |
@Baroshem Thanks ! Yeah sure. By the way I tested again and its seems that any path under |
I suppose it is related to one of my middlewares that are trying to convert the object (maybe a body or query) and it is failing because of different sfructue for Cloudflare, because as you mentioed it works correctly on other hosting providers |
@Baroshem Yes that makes sense. Have you a precise idea of which middleware could cause that ? |
I would guess that XSS or Request Size. But I am not sure as I have not worked with Cloudflare that much. I will check this out tomorrow probably as today I am quite busy with regular work. If you have some time (and could help me debugging). Could you try to disable some of the middlewares to see which one is causing the problem? You can do so by just setting a I will really appreciate it :) |
@Baroshem I'm actually really busy too :| |
I got an error log that looked like this
The error looks to be coming from Disabling the |
@shadow81627 Wow thanks for your investigation ! |
Thanks for the investigation on that topic. As this bug seems to be related with external dependency (either rate limiter or memory-cache) I would recommend you to disable this middleware by setting This also motivates me to create a dicsussion about deprecating the rate limiter functionality as it was supposed to work on the very basic examples and in more advanced cases it seems to be causing more problems than it solves. For real life applications, a seperate solution should be used that could help mitigate cases like DDoS attacks than this in memory rate limiter. I will create this discussion in the upcoming days. |
It seems that there is not a lot of traffic on the discussion about removing the rateLimiter so at this point, I can recommend you to disable the rateLimiter. The app should work ok right now. I will add a note in the documentation that this rateLimiter does not work in the Cloudflare Pages. |
Unsupported on CF Pages, see Baroshem/nuxt-security#137
Hey guys, Could you add some comments in this discussion? #140 I am thinking about derecating the built in rate limiter due to the case that it creates more problems than it solves. |
<!--- Provide a general summary of your changes in the title above --> Closes #470 ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (a non-breaking change which fixes an issue) - [x] New feature (a non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Description <!--- Describe your changes in detail --> <!--- Why is this change required? What problem does it solve? --> <!--- If it resolves an open issue, please link to the issue here. For example "Resolves: #137" --> This PR adds a new `owaspDefaults` option, which can take 2 possible values: - `compatibility` (default): OWASP default settings are chosen to minimize the possibility of breaking the app. These default values are the same as in v1. - `security`: OWASP default settings are chosen to maximize security. These default values will usually require some additional fine-tuning to ensure the app will run smoothly. With `security` OWASP level, the following headers are modified: 1- `contentSecurityPolicy` blocks everything by default with `default-src: 'none'`. In addition, all `'unsafe-inline'` values are removed. 2- `crossOriginEmbedderPolicy` is set to `require-corp` 3- `strictTransportSecurity` has the `preload` flag 4- 'xFrameOptions` is set to `DENY` ## Checklist: <!--- Put an `x` in all the boxes that apply. --> <!--- If your change requires a documentation PR, please link it appropriately --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation. - [ ] I have updated the documentation accordingly. - [x] I have added tests to cover my changes (if not applicable, please state why)
<!--- Provide a general summary of your changes in the title above --> ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (a non-breaking change which fixes an issue) - [x] New feature (a non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Description <!--- Describe your changes in detail --> <!--- Why is this change required? What problem does it solve? --> <!--- If it resolves an open issue, please link to the issue here. For example "Resolves: #137" --> Closes #494 This PR introduces support for Nuxt Server Components (a.k.a Islands). ## Checklist: <!--- Put an `x` in all the boxes that apply. --> <!--- If your change requires a documentation PR, please link it appropriately --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] My change requires a change to the documentation. - [ ] I have updated the documentation accordingly. - [ ] I have added tests to cover my changes (if not applicable, please state why)
Version
nuxt-security: 0.13.0
nuxt: 3.3.3
What is actually happening?
When hosting a Nuxt 3 app on Cloudflare Pages, enabling the
nuxt-security
module raises aCannot convert object to primitive value
error.In addition, enabling the module will also break all the server API endpoints that return a non-string value (e.g. an endpoint
/api/date
that returns a Date object).Disabling the module or hosting the app on Netlify or Vercel fixes the issue.
Steps to reproduce
nuxt-security
NITRO_PRESET=cloudflare_pages npx nuxt build
npm install -g wrangler
npx wrangler pages dev dist/
Other
There is a related discussion on the Cloudflare's repo here : cloudflare/workers-sdk#2081
Thanks !
The text was updated successfully, but these errors were encountered: