feat: nuxt security module

plentymarkets · Jan 9, 2025 · 649bacd · 649bacd
1 parent c58c400
commit 649bacd
Show file tree

Hide file tree

Showing 5 changed files with 703 additions and 1 deletion.
diff --git a/apps/web/configuration/security.config.ts b/apps/web/configuration/security.config.ts
@@ -0,0 +1,114 @@
+import {
+  AllowedHTTPMethods,
+  BasicAuth,
+  CorsOptions,
+  ContentSecurityPolicyValue,
+  CrossOriginEmbedderPolicyValue,
+  CrossOriginOpenerPolicyValue,
+  CrossOriginResourcePolicyValue,
+  HTTPMethod,
+  PermissionsPolicyValue,
+  RateLimiter,
+  ReferrerPolicyValue,
+  RequestSizeLimiter,
+  StrictTransportSecurityValue,
+  Ssg,
+  XDnsPrefetchControlValue,
+  XFrameOptionsValue,
+  XPermittedCrossDomainPoliciesValue,
+  XssValidator,
+} from 'nuxt-security';
+
+// Enabling 'unsafe-eval' and 'unsafe-inline' can create security risks
+// eslint-disable-next-line unicorn/expiring-todo-comments
+// TODO: If these are not strictly necessary, we should aim to avoid them
+
+export const securityConfiguration = {
+  strict: false,
+  headers: {
+    crossOriginResourcePolicy: 'same-origin' as CrossOriginResourcePolicyValue,
+    crossOriginOpenerPolicy: 'same-origin' as CrossOriginOpenerPolicyValue,
+    crossOriginEmbedderPolicy: 'credentialless' as CrossOriginEmbedderPolicyValue,
+    contentSecurityPolicy: {
+      'base-uri': ["'none'"],
+      'font-src': ["'self'", 'https:', 'data:'],
+      'form-action': ["'self'"],
+      'frame-ancestors': ["'self'"],
+      'img-src': [
+        "'self'",
+        'data:',
+        'https://cdn02.plentymarkets.com',
+        'https://v957ap1x34.execute-api.eu-central-1.amazonaws.com',
+      ],
+      'object-src': ["'none'"],
+      'script-src-attr': ["'unsafe-inline'"],
+      'style-src': ["'self'", 'https:', "'unsafe-inline'"],
+      'script-src': ["'self'", 'https:', "'unsafe-inline'", "'strict-dynamic'", "'nonce-{{nonce}}'", "'unsafe-eval'"],
+      'upgrade-insecure-requests': true,
+      'report-to': '', // Sends CSP violation reports to our server
+      'report-uri': '', // Legacy reporting method
+    } as ContentSecurityPolicyValue,
+    originAgentCluster: '?1' as const,
+    referrerPolicy: 'no-referrer' as ReferrerPolicyValue,
+    strictTransportSecurity: {
+      maxAge: 31_536_000, // 1 year
+      includeSubdomains: true,
+      preload: true, // We should consider adding to the HSTS preload list
+    } as StrictTransportSecurityValue,
+    xContentTypeOptions: 'nosniff' as const,
+    xDNSPrefetchControl: 'off' as XDnsPrefetchControlValue,
+    xDownloadOptions: 'noopen' as const,
+    xFrameOptions: 'SAMEORIGIN' as XFrameOptionsValue,
+    xPermittedCrossDomainPolicies: 'none' as XPermittedCrossDomainPoliciesValue,
+    xXSSProtection: '0',
+    permissionsPolicy: {
+      camera: [],
+      'display-capture': [],
+      fullscreen: [],
+      geolocation: [],
+      microphone: [],
+    } as PermissionsPolicyValue,
+  },
+  requestSizeLimiter: {
+    maxRequestSizeInBytes: 2_000_000,
+    maxUploadFileRequestInBytes: 8_000_000,
+    throwError: true,
+  } as RequestSizeLimiter,
+  rateLimiter: {
+    tokensPerInterval: 150,
+    interval: 300_000,
+    headers: false,
+    driver: {
+      name: 'lruCache',
+    },
+    throwError: true,
+  } as RateLimiter,
+  xssValidator: {
+    throwError: true,
+  } as XssValidator,
+  corsHandler: {
+    origin: 'http://localhost:3000', // Limit to specific trusted domains
+    methods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'] as HTTPMethod[],
+    preflight: {
+      statusCode: 204,
+    },
+  } as CorsOptions,
+  allowedMethodsRestricter: {
+    methods: '*',
+    throwError: true,
+  } as AllowedHTTPMethods,
+  hidePoweredBy: true,
+  basicAuth: false as false | BasicAuth,
+  enabled: true,
+  csrf: false,
+  nonce: true,
+  removeLoggers: true,
+  ssg: {
+    meta: true,
+    hashScripts: true,
+    hashStyles: false,
+    nitroHeaders: true,
+    exportToPresets: true,
+  } as Ssg,
+  sri: true,
+};
diff --git a/apps/web/nuxt.config.ts b/apps/web/nuxt.config.ts
@@ -4,6 +4,7 @@ import cookieConfig from './configuration/cookie.config';
 import { nuxtI18nOptions } from './configuration/i18n.config';
 import { appConfiguration } from './configuration/app.config';
 import { fontFamilyNuxtConfig } from './configuration/fontFamily.config';
+import { securityConfiguration } from './configuration/security.config';
 
 export default defineNuxtConfig({
   telemetry: false,
@@ -12,6 +13,7 @@ export default defineNuxtConfig({
     typeCheck: true,
   },
   app: appConfiguration,
+  security: securityConfiguration,
   experimental: {
     asyncContext: true,
   },
@@ -67,6 +69,7 @@ export default defineNuxtConfig({
     },
   },
   modules: [
+    'nuxt-security',
     '@nuxt/image',
     '@nuxt/test-utils/module',
     '@nuxtjs/google-fonts',

diff --git a/docs/changelog/changelog_en.md b/docs/changelog/changelog_en.md
@@ -4,6 +4,7 @@
 
 ### New
 
+- Added Nuxt security module.
 - Added page for shipping legal text.
 - Added delivery days to checkout shipping providers.
 

diff --git a/package.json b/package.json
@@ -64,6 +64,7 @@
     "is-ci": "^3.0.1",
     "lint-staged": "^14.0.1",
     "nuxt": "^3.13.2",
+    "nuxt-security": "2.1.5",
     "nuxt-viewport": "^2.1.5",
     "playwright-core": "^1.45.1",
     "prettier": "^3.3.2",
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ @@
     ### New
+    - Added Nuxt security module.
     - Added page for shipping legal text.
     - Added delivery days to checkout shipping providers.
@@ Expand Down @@