Releases: Baroshem/nuxt-security
2.0.0
2.0.0 🎉
This is the new major version of the NuxtSecurity module. After nine release candidates versions, we are ready to present you this new amazing version 🚀
With it, we have updated many things that you can check out below in comparison to version 1.4.0.
Enjoy!
New features
As a part of this new release, there are several new features.
A+ Score by default
Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com
Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:
Performance optimization
We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio.
Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.
Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine 💚
All Nuxt modes
Security headers are now deployed in all Nuxt rendering modes:
- Universal
- Client-only
- Hybrid
See #441 for details.
OWASP compliance
We are updating our default security settings to conform with the latest OWASP default values for headers.
Users benefit from these updating settings out of the box, with no changes required.
See #450 for details.
Full Static Support
We are significantly improving application security for static websites:
- If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
- If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new
prerenderedHeaders
build-time hook that exposes all security headers for complete control of your server's headers.
🗞️ Next steps
We are planning a new release soon with the Nuxt DevTools Tab support 🚀
👉 Changelog
compare changes
❤️ Contributors
What's Changed
- feat(core): use virtual file system for SRI by @vejja in #435
- feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
- feat(docs): add security to docs by @vejja in #451
- perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
- fix(csp): ensure charset meta at top of head by @vejja in #449
- fix(docs): update FAQ section on
--host
mode by @vejja in #456 - feat(core) : owasp default values by @vejja in #450
- fix(core): spread storage options by @vejja in #452
- fix: remove navigate-to csp directive by @GalacticHypernova in #457
- fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
- Chore/2.0.0 rc.1 by @Baroshem in #448
- Update package version by @vejja in #461
- fix(core): rollup error by @vejja in #463
- fix(headers): fix default-src owasp value by @vejja in #464
- fix(headers): add default for connect-src by @vejja in #465
- feat(headers): explicit directives by @vejja in #466
- fix(rc): bump package version by @vejja in #467
- Chore/2.0.0-rc.6 by @vejja in #468
- add per route csrf to docs by @moshetanzer in #471
- fix(csp): inline script/style have whitespace character by @hlhc in #478
- feat(core): introduce
strict
mode by @vejja in #483 - fix(docs): csp denial of pinceau styles runtime hydration by @vejja in #484
- Typo fix in docs by @Simlor in #486
- Indentation corrected by @Simlor in #490
- feat(csp): support style nonce in development by @dargmuesli in #475
- feat-#487: local dev with nuxt devtools by @Baroshem in #488
- feat(doc): introduce Nuxt Scripts as alternative to
useScript
by @vejja in #485 - Clarified when "require-corp" is the default value (documentation change) by @Simlor in #493
- fix: ensure RegExp[] origin can be passed to appSecurityOptions by @Shana-AE in #498
- docs: update information about Nuxt Image by @P4sca1 in #503
- feat: support server-only (NuxtIsland) components by @P4sca1 in #502
- fix: update to latest @nuxt/module-builder by @ThibaultVlacich in #516
- fix: augment @nuxt/schema rather than nuxt/schema by @ThibaultVlacich in #520
- feat: support using regular expressions as CORS origin by @P4sca1 in #509
- Chore/2.0.0 by @Baroshem in #492
New Contributors
2.0.0-rc.7
Support for #478
This new version updates the regular expressions in the 30-cspSsgHashes.ts file. The previous regular expression was not correctly capturing the content of inline script and style tags in all scenarios.
The old regular expression for inline scripts:
const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="[\w:.-\/]+")[^>]>(.*?)</script>/gi
The updated regular expression:
const INLINE_SCRIPT_RE = /<script(?![^>]?\bsrc="[\w:.-\/]+")[^>]>([\s\S]?)</script>/gi;
The change from (.?) to ([\s\S]*?) ensures that the regular expression matches any character, including newlines, between the <script> and </script> tags. This change improves the accuracy of inline script content capture, ensuring that our CSP security hashes are correctly generated for all inline scripts.
What's Changed
- add per route csrf to docs by @moshetanzer in #471
- fix(csp): inline script/style have whitespace character by @hlhc in #478
New Contributors
- @moshetanzer made their first contribution in #471
- @hlhc made their first contribution in #478
Full Changelog: v2.0.0-rc.6...v2.0.0-rc.7
v2.0.0-rc.6
🩹 Fixes
Remove Experimental Permission-Policy values from default OWASP values.
This clears error warnings in Chrome
Full Changelog: v2.0.0-rc.5...v2.0.0-rc.6
v2.0.0-rc.5
Improved Security Score 🥇
We apply the Mozilla recommendations for CSP defaults
- deny by default with
default-src 'none'
- allow on a directive-by-directive basis
Our Mozilla Score is now 120/100
Full Changelog: v2.0.0-rc.4...v2.0.0-rc.5
v2.0.0-rc.4
🩹 Fixes
Add default value for connect-src
CSP directive.
Update documentation for new OWASP defaults
Full Changelog: v2.0.0-rc.3...v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
🩹 Fixes
Fixes build failure due to misconfigured rollup step
What's Changed
Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2
v2.0.0-rc.1
2.0.0-rc.1 🎉
This is a release candidate for the upcoming v2 of Nuxt Security.
A+ Score by default
Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com
Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:
Performance optimization
We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio
.
Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.
Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine 💚
All Nuxt modes
Security headers are now deployed in all Nuxt rendering modes:
- Universal
- Client-only
- Hybrid
See #441 for details.
OWASP compliance
We are updating our default security settings to conform with the latest OWASP default values for headers.
Users benefit from these updating settings out of the box, with no changes required.
See #450 for details.
Full static support
We are significantly improving application security for static websites:
- If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
- If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new
prerenderedHeaders
build-time hook that exposes all security headers for complete control of your server's headers.
Other features
- We now conform to the HTML5 standard when inserting the CSP
http-equip
meta tag. - We now support all
unstorage
drivers options for the RateLimiter. Users can fully use any supported driver (Redis, Vercel KV, etc.)
👉 Changelog
compare changes
❤️ Contributors
What's Changed
- feat(core): use virtual file system for SRI by @vejja in #435
- feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
- feat(docs): add security to docs by @vejja in #451
- perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
- fix(csp): ensure charset meta at top of head by @vejja in #449
- fix(docs): update FAQ section on
--host
mode by @vejja in #456 - feat(core) : owasp default values by @vejja in #450
- fix(core): spread storage options by @vejja in #452
- fix: remove navigate-to csp directive by @GalacticHypernova in #457
- fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
1.4.0
1.4.0 🎉
This version is a significant rewrite of the core engine of Nuxt Security, motivated primarily by the introduction of runtime hooks in PR #298 by @huang-julien and comments thereon by @harlan-zw.
Huge kudos to @vejja for delivering this great functionality 💚
Full Route-Level Compatibility
This great addition by Sebastien is well detailed here #429 but as short summary can be seen below.
New features
-
All security options can now be modified via runtime hooks
It is now possible to modify any of the Nuxt Security options, and not solely the headers : any other option such as hidePoweredBy, rateLimiter, is now taken into consideration and applied at route level. -
Route rules are now consistently merged
The router merging strategy is now the same irrespective of the way the security options are set (inline, global, routeRules, and runtime hooks). Previously, it was a mix of defu, defuReplaceArray, and plain overwriting - leading to confusion on how nested rules would apply (see #430 for instance). We now apply the defuReplaceArray strategy across the board. -
Clear scoping of security headers to HTML pages, SWR support
We now make a clearer distinction between the scope of Nitro plugins (modifying HTML pages and their headers) and the scope of Server middlewares (functions that apply to all routes). This avoids to overwrite headers of non-HTML assets with irrelevant options, and as a result we are able to support SWR natively. -
Route-level support of RateLimiter
Thanks to the ability to resolveSecurityRoutes at runtime, we are now able to support route-based definitions for the Rate Limiter. This solves the issue of getting 429 denials for routes where we want to have a higher rate limit. We also take this opportunity to solve the issue of getting 429s when pre-rendering.
New runtime hook
This PR introduces a new runtime hook : nuxt-security:routeRules
, that allows to modify any security rule on any route. With this hook, the user is now able to apply any strategy for the rule (merge, overwrite, append, etc.).
nitroApp.hooks.hook('nuxt-security:routeRules', async routeRules => {
// any kind of modification of routeRules here, such as :
routeRules['/my-route'] = ...
})
The former nuxt-security:ready & nuxt-security:headers hooks are still supported but we are soft-depecrating them by removing them from the documentation.
Additional notes
This version also soft-deprecates the substitution merging via string syntax feature. This is now rendered unnecessary because the defuReplaceArray strategy is applied consistently everywhere.
We are removing corresponding mentions in the documentation, which were confusing (it only applied to headers, and it only applied in the router merging step but not in the definition step). The feature still exists to maintain backwards compatibility.
Please note that some security options can only be applied globally (removeLoggers, csrf and basicAuth) because they depend on third-party modules. The TypeScript definitions have been updated to remove these 3 options from the properties that can be set at route-level.
🗞️ Next steps
We are planning a new release soon with the Nuxt DevTools Tab support 🚀
👉 Changelog
compare changes
❤️ Contributors
- @vejja
- @Jesse1989pp made their first contribution
- @Dominic-Marcelino made their first contribution
- @snepsnepy made their first contribution
What's Changed
- Vejja/issue413 by @vejja in #414
- update(doc): recommend useScript for Nuxt 3.11+ by @vejja in #403
- chore: bump unplugin-remove to fix sourcemap warnings by @Jesse1989pp in #420
- Update 1.csp.md - FIX comparison in docs by @Dominic-Marcelino in #424
- Fixed small typo found in the documentation by @snepsnepy in #431
- feat(core): unified router context by @vejja in #429
- Closes #269 : Rate Limiter is now disabled when building with SSG
- Closes #281 : Rate Limiter now records requests at the route level
- Closes #300: All security options are now configurable via the new runtime hook
- Closes #385 : All security options are now resolved with the same merging strategy
- Closes #392 : Rate Limiter now supports any endpoint, including /api routes
- Closes #428 : SWR is now natively supported
- Closes #430 : There is no need to use string syntax anymore to overwrite higher-level rules
- Closes #432 : The function insertNonceInCsp now correctly handles boolean value for CSP directives
v1.3.0
1.3.0 🎉
This version brings several bugfixes and small new features.
Kudos to all contributors! 💚
🗞️ Next steps
We are already planning a release 1.3.0 that will include support for rate limiter global and per route as well as protecting api 🚀
👉 Changelog
compare changes
🚀 Enhancements
- fetch buffers from storage and convert to object
- enhance FormData with XSS validation feature
🩹 Fixes
- remove frame-ancestors from meta
- generate meta tag without html,head,body tags
- do not decode entities in HTML
- opt in to
import.meta.*
properties - set nonce in response headers instead of using configuration
📖 Documentation
- use new
nuxi module add
command in installation
🏡 Chore
🤖 CI
❤️ Contributors
- @vejja
- @huang-julien
- @Ray0907 made their first contribution
- @danielroe
- @mtdvlpr
What's Changed
- fix(ssg): remove frame-ancestors from meta by @vejja in #388
- fix(ssg): generate meta tag without html,head,body tags by @mtdvlpr in #387
- fix(core): do not decode entities in HTML by @vejja in #394
- sri: fetch buffers from storage and convert to object by @vejja in #396
- Enhance FormData with XSS validation feature. by @Ray0907 in #401
- fix: opt in to
import.meta.*
properties by @danielroe in #406 - fix: set nonce in response headers instead of using configuration by @huang-julien in #408
- docs: use new
nuxi module add
command in installation by @danielroe in #410 - Chore/1.3.0 by @Baroshem in #399