New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: enable CSP for SSG #112
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Hey @tresko Thank you so much for this PR. I really like the idea! I will review it tomorrow and provably recommend you to write some docs and configuration so that this nitro plugin would be enabled automatically if the app is generated as SSG. Stay tuned! |
src/runtime/nitro.ts
Outdated
// Temporary as in Nuxt 3.0.0 header name is 'X-Powered-By' and in 3.1.X is 'x-powered-by' | ||
if (response.headers['x-powered-by']) { | ||
delete response.headers['x-powered-by'] | ||
} else if (response.headers['X-Powered-By']) { | ||
delete response.headers['X-Powered-By'] | ||
} | ||
}) | ||
|
||
nitro.hooks.hook('render:html', (html: NuxtRenderHTMLContext, { event }: { event: H3Event }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend creating a new file where this custom plugin could be registered as currently it is registered as a part of a XPoweredBy plugin so once a user disabled hidePoweredBy, this hook will not be triggered as well.
What is more, I would enable this module without any configuration if the project is running in SSG by default and remain configurability from security.headers.contentSecurityPolicy.value
src/runtime/nitro.ts
Outdated
contentArray.push(`${key} ${policyValue}`) | ||
} | ||
const content = contentArray.join('; ') | ||
console.log(content) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be deleted ;)
Also, I would add an appriopriate documentation section about this SSG functionality. Probably a new heading in the setup -> https://nuxt-security.vercel.app/getting-started/setup just above configuration called for example
|
Let me know @tresko if you have time to include these changes. If not, I can do that, no worries. I will mention you anyway in the release and in social media as the author of this feature and the contributor :) |
No problem, I will add it. |
Awesome, let me know if you need any help :) |
Done, can you check it? :) |
Nicely done @tresko 💚 I am now merging this feature and going to test it out in more details :) Thank you so much for the contribution. Feel free to recommend other features that will make this module deliver even better experience :) |
Types of changes
Description
Add Content-Security-Policy meta tag for SSG pages.
Enables Content Security Policy for SSG pages.
Resolves: #108
Checklist: