Merge pull request #450 from Baroshem/feat/owasp-defaults

feat(core) : owasp default values
nuxt-modules · May 22, 2024 · 5466dda · 5466dda
2 parents 3584775 + 944acbc
commit 5466dda
Show file tree

Hide file tree

Showing 6 changed files with 157 additions and 85 deletions.
diff --git a/src/defaultConfig.ts b/src/defaultConfig.ts
@@ -8,8 +8,8 @@ export const defaultSecurityConfig = (serverlUrl: string): Partial<ModuleOptions
     crossOriginOpenerPolicy: 'same-origin',
     crossOriginEmbedderPolicy: 'require-corp',
     contentSecurityPolicy: {
-      //'default-src' : ["'none'"],
       'base-uri': ["'none'"],
+      'default-src' : ["'none'"],
       'font-src': ["'self'", 'https:', 'data:'],
       'form-action': ["'self'"],
       'frame-ancestors': ["'self'"],
@@ -23,21 +23,45 @@ export const defaultSecurityConfig = (serverlUrl: string): Partial<ModuleOptions
     originAgentCluster: '?1',
     referrerPolicy: 'no-referrer',
     strictTransportSecurity: {
-      maxAge: 15552000,
+      maxAge: 31536000,
       includeSubdomains: true
     },
     xContentTypeOptions: 'nosniff',
     xDNSPrefetchControl: 'off',
     xDownloadOptions: 'noopen',
-    xFrameOptions: 'SAMEORIGIN',
+    xFrameOptions: 'DENY',
     xPermittedCrossDomainPolicies: 'none',
     xXSSProtection: '0',
     permissionsPolicy: {
-      camera: [],
-      'display-capture': [],
-      fullscreen: [],
-      geolocation: [],
-      microphone: []
+      accelerometer: [],
+      'ambient-light-sensor':[],
+      autoplay:[],
+      battery:[],
+      camera:[],
+      'display-capture':[],
+      'document-domain':[],
+      'encrypted-media':[],
+      fullscreen:[],
+      gamepad:[],
+      geolocation:[],
+      gyroscope:[],
+      'layout-animations':['self'],
+      'legacy-image-formats':['self'],
+      magnetometer:[],
+      microphone:[],
+      midi:[],
+      'oversized-images':['self'],
+      payment:[],
+      'picture-in-picture':[],
+      'publickey-credentials-get':[],
+      'speaker-selection':[],
+      'sync-xhr':['self'],
+      'unoptimized-images':['self'],
+      'unsized-media':['self'],
+      usb:[],
+      'screen-wake-lock':[],
+      'web-share':[],
+      'xr-spatial-tracking':[]
     }
   },
   requestSizeLimiter: {

diff --git a/src/types/headers.ts b/src/types/headers.ts
@@ -100,6 +100,9 @@ export type PermissionsPolicyValue = {
   'fullscreen'?: string[] | string | false;
   'geolocation'?: string[] | string | false;
   'microphone'?: string[] | string | false;
+  'publickey-credentials-get'?: string[] | string | false;
+  'screen-wake-lock'?: string[] | string | false;
+  'web-share'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
@@ -116,6 +119,14 @@ export type PermissionsPolicyValue = {
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
   'battery'?: string[] | string | false;
+  /**
+   * 🧪 Experimental. Expect browser behavior to change in the future.
+   */
+  'bluetooth'?: string[] | string | false;
+  /**
+   * 🧪 Experimental. Expect browser behavior to change in the future.
+   */
+  'browsing-topics'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
@@ -147,7 +158,20 @@ export type PermissionsPolicyValue = {
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
+  'identity-credentials-get'?: string[] | string | false;
+  /**
+   * 🧪 Experimental. Expect browser behavior to change in the future.
+   */
+
   'idle-detection'?: string[] | string | false;
+  /**
+   * 🧪 Mozilla-undocumented. Expect browser behavior to change in the future.
+   */
+  'layout-animations'?: string[] | string | false;
+  /**
+   * 🧪 Mozilla-undocumented. Expect browser behavior to change in the future.
+   */
+  'legacy-image-formats'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
@@ -163,19 +187,23 @@ export type PermissionsPolicyValue = {
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
-  'payment'?: string[] | string | false;
+  'otp-credentials'?: string[] | string | false;
+  /**
+   * 🧪 Mozilla-undocumented. Expect browser behavior to change in the future.
+   */
+  'oversized-images'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
-  'picture-in-picture'?: string[] | string | false;
+  'payment'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
-  'publickey-credentials-get'?: string[] | string | false;
+  'picture-in-picture'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
-  'screen-wake-lock'?: string[] | string | false;
+  'publickey-credentials-create'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
@@ -187,8 +215,28 @@ export type PermissionsPolicyValue = {
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */
+  'storage-access'?: string[] | string | false;
+  /**
+   * 🧪 Experimental. Expect browser behavior to change in the future.
+   */
+
   'usb'?: string[] | string | false;
-  'web-share'?: string[] | string | false;
+  /**
+   * 🧪 Mozilla-undocumented. Expect browser behavior to change in the future.
+   */
+  'sync-xhr'?: string[] | string | false;
+  /**
+   * 🧪 Mozilla-undocumented. Expect browser behavior to change in the future.
+   */
+  'unoptimized-images'?: string[] | string | false;
+  /**
+   * 🧪 Mozilla-undocumented. Expect browser behavior to change in the future.
+   */
+  'unsized-media'?: string[] | string | false;
+  /**
+     * 🧪 Experimental. Expect browser behavior to change in the future.
+     */
+  'window-management'?: string[] | string | false;
   /**
    * 🧪 Experimental. Expect browser behavior to change in the future.
    */

diff --git a/test/headers.test.ts b/test/headers.test.ts
@@ -37,7 +37,7 @@ describe('[nuxt-security] Headers', async () => {
     expect(cspHeaderValue).toBeTruthy()
     expect(nonceValue).toBeDefined()
     expect(nonceValue).toHaveLength(24)
-    expect(cspHeaderValue).toBe(`base-uri 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
+    expect(cspHeaderValue).toBe(`base-uri 'none'; default-src 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-${nonceValue}'; upgrade-insecure-requests;`)
   })
 
   it('has `cross-origin-embedder-policy` header set with correct default value', async () => {
@@ -92,7 +92,7 @@ describe('[nuxt-security] Headers', async () => {
     const ppHeaderValue = headers.get('permissions-policy')
 
     expect(ppHeaderValue).toBeTruthy()
-    expect(ppHeaderValue).toBe('camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=()')
+    expect(ppHeaderValue).toBe('accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(self), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(self), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()')
   })
 
   it('has `referrer-policy` header set with correct default value', async () => {
@@ -114,7 +114,7 @@ describe('[nuxt-security] Headers', async () => {
     const stsHeaderValue = headers.get('strict-transport-security')
 
     expect(stsHeaderValue).toBeTruthy()
-    expect(stsHeaderValue).toBe('max-age=15552000; includeSubDomains;')
+    expect(stsHeaderValue).toBe('max-age=31536000; includeSubDomains;')
   })
 
   it('has `x-content-type-options` header set with correct default value', async () => {
@@ -158,7 +158,7 @@ describe('[nuxt-security] Headers', async () => {
     const xfoHeaderValue = headers.get('x-frame-options')
 
     expect(xfoHeaderValue).toBeTruthy()
-    expect(xfoHeaderValue).toBe('SAMEORIGIN')
+    expect(xfoHeaderValue).toBe('DENY')
   })
 
   it('has `x-permitted-cross-domain-policies` header set with correct default value', async () => {