Baroshem · Baroshem · Jan 18, 2024 · Nov 19, 2023 · Nov 19, 2023 · Nov 19, 2023
diff --git a/docs/content/1.documentation/1.getting-started/3.usage.md b/docs/content/1.documentation/1.getting-started/3.usage.md
@@ -169,3 +169,37 @@ export default defineNuxtConfig({
   }
 })
 ```
+
+## Runtime configuration
+
+If you need to change the headers configuration at runtime, it is possible to do it through `nuxt-security:headers` hook.
+
+### Enabling the option
+
+This feature is optional, you can enable it with
+
+```ts
+export default defineNuxtConfig({
+    modules: ['nuxt-security'],
+    security: {
+        runtimeHooks: true
+    }
+})
+```
+
+### Usage
+
+Within your nitro plugin. You can override the previous configuration of a route with `nuxt-security:headers`.
+
+```ts
+export default defineNitroPlugin((nitroApp) => {
+    nitroApp.hooks.hook('nuxt-security:ready', () => {
+        nitroApp.hooks.callHook('nuxt-security:headers', '/**' ,{
+            contentSecurityPolicy: {
+                "script-src": ["'self'", "'unsafe-inline'"],
+            },
+            xFrameOptions: false
+        })
+    })
+})
+```
diff --git a/playground/nuxt.config.ts b/playground/nuxt.config.ts
@@ -24,6 +24,7 @@ export default defineNuxtConfig({
     rateLimiter: {
       tokensPerInterval: 10,
       interval: 10000
-    }
+    },
+    runtimeHooks: true
   }
 })
diff --git a/playground/server/api/runtime-hooks.ts b/playground/server/api/runtime-hooks.ts
@@ -0,0 +1,7 @@
+import { defineEventHandler } from "#imports"
+
+export default defineEventHandler((event) => {
+    return {
+        csp: getResponseHeader(event, 'Content-Security-Policy')
+    }
+})
diff --git a/playground/server/plugins/headers.ts b/playground/server/plugins/headers.ts
@@ -0,0 +1,14 @@
+
+export default defineNitroPlugin((nitroApp) => {
+    nitroApp.hooks.hook('nuxt-security:ready', () => {
+        nitroApp.hooks.callHook('nuxt-security:headers',
+        { 
+            route: '/api/runtime-hooks',
+            headers: {
+                contentSecurityPolicy: {
+                    "script-src": ["'self'", "'unsafe-inline'"],
+                }
+            }
+        })
+    })
+})
diff --git a/src/module.ts b/src/module.ts
@@ -1,6 +1,6 @@
 import { fileURLToPath } from 'node:url'
 import { resolve, normalize } from 'pathe'
-import { defineNuxtModule, addServerHandler, installModule, addVitePlugin } from '@nuxt/kit'
+import { defineNuxtModule, addServerHandler, installModule, addVitePlugin, addServerPlugin } from '@nuxt/kit'
 import { defu } from 'defu'
 import type { Nuxt } from '@nuxt/schema'
 import viteRemove from 'unplugin-remove/vite'
@@ -126,6 +126,15 @@ export default defineNuxtModule<ModuleOptions>({
     }
 
 
+    if(nuxt.options.security.runtimeHooks) {
+      addServerPlugin(resolve(runtimeDir, 'nitro/plugins/00-context'))
+      addServerHandler({
+        handler: normalize(
+          resolve(runtimeDir, 'server/middleware/headers')
+        )
+      })
+    }
+
     const allowedMethodsRestricterConfig = nuxt.options.security
     .allowedMethodsRestricter
     if (

diff --git a/src/runtime/nitro/plugins/00-context.ts b/src/runtime/nitro/plugins/00-context.ts
@@ -0,0 +1,33 @@
+import { getNameFromKey, headerStringFromObject} from "../../utils/headers"
+import { createRouter} from "radix3"
+import { defineNitroPlugin } from '#imports'
+import { OptionKey } from "~/src/module"
+
+export default defineNitroPlugin((nitroApp) => {
+    const router = createRouter()
+
+    nitroApp.hooks.hook('nuxt-security:headers', ({route, headers: headersConfig}) => {
+        const headers: Record<string, string |false > = {}
+
+        for (const [header, headerOptions] of Object.entries(headersConfig)) {
+            const headerName = getNameFromKey(header as OptionKey) 
+            if(headerName) {
+                const value = headerStringFromObject(header as OptionKey, headerOptions)
+                if(value) {
+                    headers[headerName] = value
+                } else {
+                    delete headers[headerName]
+                }
+            }
+        }
+
+        router.insert(route, headers)
+    })
+
+    nitroApp.hooks.hook('request', (event) => {
+        event.context.security = event.context.security || {}
+        event.context.security.headers = router.lookup(event.path)
+    })
+
+    nitroApp.hooks.callHook('nuxt-security:ready')
+})
diff --git a/src/runtime/server/middleware/headers.ts b/src/runtime/server/middleware/headers.ts
@@ -0,0 +1,13 @@
+import { defineEventHandler, setHeader, removeResponseHeader } from '#imports'
+
+export default defineEventHandler((event) => {
+    if(event.context.security.headers) {  
+        Object.entries(event.context.security.headers).forEach(([header, value]) => {
+            if (value === false) {
+                removeResponseHeader(event, header)
+            } else {
+                setHeader(event, header, value)
+            }
+        }) 
+    }
+})
diff --git a/src/runtime/utils/headers.ts b/src/runtime/utils/headers.ts
@@ -7,7 +7,7 @@ import type {
   SecurityHeaders
 } from '../../types/headers'
 
-const KEYS_TO_NAMES: Record<OptionKey, HeaderName> = {
+export const KEYS_TO_NAMES: Record<OptionKey, HeaderName> = {
   contentSecurityPolicy: 'Content-Security-Policy',
   crossOriginEmbedderPolicy: 'Cross-Origin-Embedder-Policy',
   crossOriginOpenerPolicy: 'Cross-Origin-Opener-Policy',

diff --git a/src/types/headers.ts b/src/types/headers.ts
@@ -243,3 +243,12 @@ export interface SecurityHeaders {
   xXSSProtection?: string | false;
   permissionsPolicy?: PermissionsPolicyValue | false;
 }
+
+
+declare module 'h3' {
+  interface H3EventContext {
+    security: {
+      headers: SecurityHeaders
+    }
+  }
+}
diff --git a/src/types/index.ts b/src/types/index.ts
@@ -22,6 +22,11 @@ export interface ModuleOptions {
   nonce: boolean;
   removeLoggers: RemoveOptions | false;
   ssg: Ssg | false;
+  /**
+   * enable runtime nitro hooks to configure some options at runtime
+   * Current configuration editable at runtime: headers
+   */
+  runtimeHooks: boolean;
   sri: boolean
 }
 
@@ -36,3 +41,18 @@ export type NuxtSecurityRouteRules = Pick<ModuleOptions,
   'sri' |
   'ssg'>
 
+  declare module 'nitropack' {
+    interface NitroRuntimeHooks {
+      'nuxt-security:headers': (config: {
+        /**
+         * The route for which the headers are being configured
+         */
+        route: string,
+        /**
+         * The headers configuration for the route
+         */
+        headers: SecurityHeaders
+      }) => void
+      'nuxt-security:ready': () => void
+    }
+  } 
diff --git a/test/fixtures/runtime-hooks/.nuxtrc b/test/fixtures/runtime-hooks/.nuxtrc
@@ -0,0 +1 @@
+imports.autoImport=true
diff --git a/test/fixtures/runtime-hooks/app.vue b/test/fixtures/runtime-hooks/app.vue
@@ -0,0 +1,5 @@
+<template>
+  <div>
+    <NuxtPage />
+  </div>
+</template>
diff --git a/test/fixtures/runtime-hooks/nuxt.config.ts b/test/fixtures/runtime-hooks/nuxt.config.ts
@@ -0,0 +1,21 @@
+import MyModule from '../../../src/module'
+
+export default defineNuxtConfig({
+  modules: [
+    MyModule
+  ],
+  routeRules:{
+    '/test': {
+      headers: {
+        'x-xss-protection': '1',
+      }
+    }
+  },
+  security: {
+    nonce: false,
+    runtimeHooks: true,
+    headers: {
+      contentSecurityPolicy: false
+    }
+  }
+})
diff --git a/test/fixtures/runtime-hooks/package.json b/test/fixtures/runtime-hooks/package.json
@@ -0,0 +1,5 @@
+{
+  "private": true,
+  "name": "runtime-hooks",
+  "type": "module"
+}
diff --git a/test/fixtures/runtime-hooks/pages/index.vue b/test/fixtures/runtime-hooks/pages/index.vue
@@ -0,0 +1,3 @@
+<template>
+  <div>runtime hooks</div>
+</template>
diff --git a/test/fixtures/runtime-hooks/server/api/runtime-hooks.ts b/test/fixtures/runtime-hooks/server/api/runtime-hooks.ts
@@ -0,0 +1,7 @@
+import { getResponseHeader } from "h3"
+
+export default defineEventHandler((event) => {
+    return {
+        csp: getResponseHeader(event, 'Content-Security-Policy')
+    }
+})
diff --git a/test/fixtures/runtime-hooks/server/plugins/headers.ts b/test/fixtures/runtime-hooks/server/plugins/headers.ts
@@ -0,0 +1,11 @@
+export default defineNitroPlugin((nitroApp) => {
+    nitroApp.hooks.hook('nuxt-security:ready', () => {
+        nitroApp.hooks.callHook('nuxt-security:headers', {
+            route: '/api/runtime-hooks', headers: {
+                contentSecurityPolicy: {
+                    "script-src": ["'self'", "'unsafe-inline'", '*.azure.com'],
+                }
+            }
+        })
+    })
+})
diff --git a/test/runtime-hooks.test.ts b/test/runtime-hooks.test.ts
@@ -0,0 +1,19 @@
+import { fileURLToPath } from 'node:url'
+import { describe, it, expect } from 'vitest'
+import { setup, fetch } from '@nuxt/test-utils'
+
+await setup({
+    rootDir: fileURLToPath(new URL('./fixtures/runtime-hooks', import.meta.url))
+})
+
+describe('[nuxt-security] runtime hooks', () => {
+    it('expect csp to be set by a runtime hook', async () => {
+        const res = await fetch('/api/runtime-hooks')
+        expect(await res.json()).toMatchInlineSnapshot(`
+          {
+            "csp": "script-src 'self' 'unsafe-inline' *.azure.com;",
+          }
+        `)
+        expect(res.headers.get('Content-Security-Policy')).toMatchInlineSnapshot('"script-src \'self\' \'unsafe-inline\' *.azure.com;"')
+    })
+})