Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable CSP for SSG #112

Merged
merged 1 commit into from Mar 2, 2023
Merged

feat: enable CSP for SSG #112

merged 1 commit into from Mar 2, 2023

Conversation

tresko
Copy link
Contributor

@tresko tresko commented Feb 28, 2023
edited

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

Add Content-Security-Policy meta tag for SSG pages.

Enables Content Security Policy for SSG pages.

Resolves: #108

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes (if not applicable, please state why)

@vercel
Copy link

vercel bot commented Feb 28, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add your feedback Mar 1, 2023 at 6:41PM (UTC)

@Baroshem
Copy link
Owner

Hey @tresko

Thank you so much for this PR. I really like the idea! I will review it tomorrow and provably recommend you to write some docs and configuration so that this nitro plugin would be enabled automatically if the app is generated as SSG.

Stay tuned!

Baroshem
Baroshem reviewed Mar 1, 2023
View reviewed changes
src/runtime/nitro.ts Outdated
// Temporary as in Nuxt 3.0.0 header name is 'X-Powered-By' and in 3.1.X is 'x-powered-by'
if (response.headers['x-powered-by']) {
delete response.headers['x-powered-by']
} else if (response.headers['X-Powered-By']) {
delete response.headers['X-Powered-By']
}
})

nitro.hooks.hook('render:html', (html: NuxtRenderHTMLContext, { event }: { event: H3Event }) => {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend creating a new file where this custom plugin could be registered as currently it is registered as a part of a XPoweredBy plugin so once a user disabled hidePoweredBy, this hook will not be triggered as well.

What is more, I would enable this module without any configuration if the project is running in SSG by default and remain configurability from security.headers.contentSecurityPolicy.value

src/runtime/nitro.ts Outdated
contentArray.push(`${key} ${policyValue}`)
}
const content = contentArray.join('; ')
console.log(content)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be deleted ;)

@Baroshem
Copy link
Owner

Baroshem commented Mar 1, 2023

Also, I would add an appriopriate documentation section about this SSG functionality.

Probably a new heading in the setup -> https://nuxt-security.vercel.app/getting-started/setup just above configuration called for example SSG Apps:

This module is meant to work with SSR apps but you can also use this module in SSG apps where you will get a CSP support

@Baroshem
Copy link
Owner

Baroshem commented Mar 1, 2023

Let me know @tresko if you have time to include these changes. If not, I can do that, no worries. I will mention you anyway in the release and in social media as the author of this feature and the contributor :)

@tresko
Copy link
Contributor Author

tresko commented Mar 1, 2023

No problem, I will add it.

@Baroshem
Copy link
Owner

Baroshem commented Mar 1, 2023

Awesome, let me know if you need any help :)

@tresko
Copy link
Contributor Author

tresko commented Mar 1, 2023

Done, can you check it? :)

@Baroshem
Copy link
Owner

Baroshem commented Mar 2, 2023

Nicely done @tresko 💚

I am now merging this feature and going to test it out in more details :)

Thank you so much for the contribution. Feel free to recommend other features that will make this module deliver even better experience :)

@Baroshem Baroshem merged commit 3662614 into Baroshem:main Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Baroshem Baroshem Baroshem left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate if it is possible to use this module with SSG
2 participants
@tresko @Baroshem