feat: add security headers (with nuxt-security) (#1025)

2023-01-16 03:00:44 +02:00 · 2023-01-16 03:00:44 +02:00 · d24c1da35e
commit d24c1da35e
parent 7c58d89044
3 changed files with 88 additions and 0 deletions
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@ -25,6 +25,7 @@ export default defineNuxtConfig({
    '@vue-macros/nuxt',
    '@nuxtjs/i18n',
    '@nuxtjs/color-mode',
+    'nuxt-security',
    '~/modules/purge-comments',
    '~/modules/setup-components',
    '~/modules/build-env',
@ -142,6 +143,30 @@ export default defineNuxtConfig({
      ],
    },
  },
+  security: {
+    headers: {
+      crossOriginEmbedderPolicy: false,
+      contentSecurityPolicy: {
+        value: {
+          'default-src': ['\'self\''],
+          'base-uri': ['\'self\''],
+          'connect-src': ['\'self\'', 'https:', 'http:', 'wss:', 'ws:'],
+          'font-src': ['\'self\''],
+          'form-action': ['\'none\''],
+          'frame-ancestors': ['\'none\''],
+          'img-src': ['\'self\'', 'https:', 'http:', 'data:'],
+          'media-src': ['\'self\'', 'https:', 'http:'],
+          'object-src': ['\'none\''],
+          'script-src': ['\'self\'', '\'unsafe-inline\''],
+          'script-src-attr': ['\'none\''],
+          'style-src': ['\'self\'', '\'unsafe-inline\''],
+          'upgrade-insecure-requests': true,
+        },
+        route: '/**',
+      },
+    },
+    rateLimiter: false,
+  },
  colorMode: { classSuffix: '' },
  i18n,
  pwa,