New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Runtime Config for Security Headers #369
Comments
Thanks for reporting this issue. @huang-julien could you take a look? I think you are the best person for that question :) |
I was just trying to disable some CSP headers via a boolean ENV flag and can't get it work either :( |
@huang-julien i created a quick stackblitz for reproduction: Would be interesting to know if its just a documentation issue / misundertstanding or if its not working at all .. which would surprise me as there is a test for that. In the Stackblitz the Headers are not removed from the documents response which prevents the preview to be rendered in the iframe. |
Hey @huang-julien! Thanks for the reply! I assumed it would be possible to change / remove the headers by calling the hooks. |
i've updated my repo to give you some more insight. If you enable the The same Options are being passed via in short: using 'nuxt-security:headers' will not apply custom rules Does this make sense? |
I couldn't reproduce the render issue locally but i reproduced the issue with the headers thank you ! |
Hey guys, I have merged a PR from @huang-julien to fix this issue and released it with 1.1.1 version. Could you check if everything works now? Thanks @huang-julien for the work! 💚 |
Thanks a lot guys. https://stackblitz.com/edit/nuxt-starter-p4acfm?file=server%2Fplugins%2Fsecurity-plugin.ts I was tinkering around with the settings and tried to add the exact headers from @huang-julien s test but i can't get them to show up in the documents response. i try to add the following headers in the plugin:
But the CSP header in the documents response is not altered: base-uri 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic'; I really don't understand whats going on here as, by looking at the tests, this is supposed to work just fine. |
Ok .. i will try that as well. Thanks for looking into! |
Hey @huang-julien just did. Went back to the stackblitz and debugged into : Where i found a silent Error being thrown due to a missing import (setHeader -> undefined). Came back to comment. I believe it is still worth examining the differences in installing the module from its sources or via pgk manager as it obviously makes a difference in how dependencies & utils are installed / indexed. |
Version
nuxt-security: 1.1.0
nuxt: 3.10
Reproduction Link
https://stackblitz.com/edit/nuxt-starter-tjhotm?file=modules%2Fsecurity%2Findex.ts
Hi.
I want to actually use the new "runtimeHooks" but there must be something i'm missing.
I use ENV Variables to define my Headers.
Within the new
'nuxt-security:ready'
hook i want to read the values from the runtimeConfig and pass them to the'nuxt-security:headers'
hook.Unfortunately none of these values are being applied. Some internal defaults are still being used.
Do i have to disable some default behaviour?
The text was updated successfully, but these errors were encountered: