Chore/1.0.0 rc.3

.eslintrc

@@ -1,6 +1,3 @@
 {
-  "extends": ["@nuxtjs/eslint-config-typescript"],
-  "rules": {
-    "@typescript-eslint/no-unused-vars": ["off"]
-  }
+  "extends": ["@nuxt/eslint-config"]
 }

.gitignore

@@ -49,3 +49,6 @@ coverage
 Network Trash Folder
 Temporary Items
 .apdisk
+
+# Yarn is the package manager, do not commit npm lock file
+package-lock.json

.npmrc

@@ -0,0 +1,2 @@
+shamefully-hoist=true
+strict-peer-dependencies=false

.nuxtrc

@@ -1 +1,2 @@
-imports.autoImport=true
+imports.autoImport=false
+typescript.includeWorkspace=true

.stackblitz/.gitignore

@@ -6,3 +6,4 @@ node_modules
 .output
 .env
 dist
+.vercel

docs/.nuxtrc

@@ -0,0 +1 @@
+imports.autoImport=true

docs/content/1.documentation/1.getting-started/2.configuration.md

@@ -24,7 +24,7 @@ interface ModuleOptions {
   basicAuth: BasicAuth | false;
   enabled: boolean;
   csrf: CsrfOptions | false;
-  nonce: NonceOptions | false;
+  nonce: boolean;
   removeLoggers?: RemoveOptions | false;
   ssg?: Ssg;
 }

docs/content/1.documentation/2.headers/1.csp.md

@@ -165,7 +165,6 @@ export default defineNuxtConfig({
             ? [
               "'self'", // backwards compatibility for older browsers that don't support strict-dynamic
               "'nonce-{{nonce}}'",
-              "'strict-dynamic'",
             ]
             : // In dev mode, we allow unsafe-inline so that hot reloading keeps working
             ["'self'", "'unsafe-inline'"],
@@ -193,11 +192,11 @@ The `nonce` value is generated per request and is added to the CSP header. This
 ```ts
 export default defineNuxtConfig({
   routeRules: {
-    '/api/custom-route': {
-      nonce: false    // do not check nonce for this route (1)
+    '/custom-route': {
+      nonce: false    // do not generate nonce for this route (1)
     },
-    '/api/other-route': {
-      nonce: { mode: 'check' }  // do not generate a new nonce for this route, but check it against the existing one (2)
+    '/other-route': {
+      nonce: true  // generate a new nonce for this route (2)
     }
   }
 })

docs/content/1.documentation/2.headers/3.crossOriginEmbedderPolicy.md

@@ -53,7 +53,7 @@ Cross-Origin-Embedder-Policy: require-corp
 The `crossOriginEmbedderPolicy` header can be configured with following values.
 
 ```ts
-crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | false;
+crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | 'credentialless' | false;
 ```
 
 ### `unsafe-none`
@@ -64,6 +64,10 @@ This is the default value. Allows the document to fetch cross-origin resources w
 
 A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.
 
+### `credentialless`
+
+no-cors cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed **without** an explicit permission via the Cross-Origin-Resource-Policy header. Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
+
 ::alert{type="warning"}
 ⚠️ Read more about `Avoiding blockage with CORS` [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#avoiding_coep_blockage_with_cors).
 ::

docs/content/1.documentation/3.middleware/1.rate-limiter.md

@@ -72,7 +72,7 @@ The amount of requests that reach the application before rate limiting will bloc
 
 - Default: `300000`
 
-The time after which the rate limiting will be reset.
+The time value in miliseconds after which the rate limiting will be reset. For example, if you set it to `10000` and `tokensPerInterval: 3` it will allow three requests from one IP address in 10 seconds and the next one in this interval will be banned. After 10 seconds however, user will be able to send requests again.
 
 ### `headers`
 

package.json

@@ -35,22 +35,22 @@
     "dist"
   ],
   "scripts": {
-    "prepack": "nuxt-module-build",
-    "dev": "nuxt-module-build --stub && nuxi prepare playground && nuxi dev playground",
+    "prepack": "nuxt-module-build build",
+    "dev": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground && nuxi dev playground",
     "dev:build": "nuxi build playground",
     "dev:start": "nuxi start playground",
     "dev:generate": "nuxi generate playground",
-    "dev:prepare": "nuxt-module-build --stub && nuxi prepare playground",
+    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
     "dev:preview": "nuxi preview playground",
     "dev:docs": "cd docs && yarn dev",
-    "lint": "eslint --ext .js,.ts,.vue",
+    "lint": "eslint .",
     "test": "vitest run --silent",
     "test:watch": "vitest watch",
     "stackblitz": "cd .stackblitz && yarn && yarn dev"
   },
   "packageManager": "[email protected]",
   "dependencies": {
-    "@nuxt/kit": "^3.7.3",
+    "@nuxt/kit": "^3.8.0",
     "basic-auth": "^2.0.1",
     "defu": "^6.1.1",
     "nuxt-csurf": "^1.3.1",
@@ -59,15 +59,15 @@
     "xss": "^1.0.14"
   },
   "devDependencies": {
-    "@nuxt/module-builder": "latest",
-    "@nuxt/schema": "^3.7.3",
-    "@nuxt/test-utils": "^3.7.3",
-    "@nuxtjs/eslint-config-typescript": "latest",
-    "@types/node": "^18.14.4",
-    "eslint": "latest",
-    "nuxt": "^3.7.3",
-    "typescript": "5.2.2",
-    "vitest": "^0.28.5"
+    "@nuxt/module-builder": "^0.5.2",
+    "@nuxt/schema": "^3.8.0",
+    "@nuxt/test-utils": "^3.8.0",
+    "@nuxt/eslint-config": "^0.2.0",
+    "@types/node": "^18.18.1",
+    "eslint": "^8.50.0",
+    "nuxt": "^3.8.0",
+    "typescript": "^5.2.2",
+    "vitest": "^0.33.0"
   },
   "stackblitz": {
     "installDependencies": false,

playground/.nuxtrc

@@ -0,0 +1 @@
+imports.autoImport=true

playground/pages/secret.vue

@@ -1,3 +1,5 @@
 <template>
-  Secret Route
+  <div>
+    Secret Route
+  </div>
 </template>

playground/server/api/test.post.ts

@@ -1,6 +1,3 @@
-import { defineEventHandler } from 'h3'
-
-
 export default defineEventHandler((event) => {
   console.log('test')
 })

playground/server/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "../.nuxt/tsconfig.server.json"
+}

playground/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "./.nuxt/tsconfig.json"
+}

src/module.ts

@@ -2,28 +2,32 @@ import { fileURLToPath } from 'node:url'
 import { resolve, normalize } from 'pathe'
 import { defineNuxtModule, addServerHandler, installModule, addVitePlugin } from '@nuxt/kit'
 import { defu } from 'defu'
-import { Nuxt, RuntimeConfig } from '@nuxt/schema'
+import type { Nuxt, RuntimeConfig } from '@nuxt/schema'
 import viteRemove from 'unplugin-remove/vite'
 import { defuReplaceArray } from './utils'
-import {
+import type {
   ModuleOptions,
   NuxtSecurityRouteRules
 } from './types/index'
-import {
+import type {
   SecurityHeaders
 } from './types/headers'
-import {
+import type {
   BasicAuth
 } from './types/middlewares'
 import {
   defaultSecurityConfig
 } from './defaultConfig'
 import { SECURITY_MIDDLEWARE_NAMES } from './middlewares'
-import { HeaderMapper, SECURITY_HEADER_NAMES, getHeaderValueFromOptions } from './headers'
+import { type HeaderMapper, SECURITY_HEADER_NAMES, getHeaderValueFromOptions } from './headers'
 
-declare module '@nuxt/schema' {
+declare module 'nuxt/schema' {
   interface NuxtOptions {
-    security: ModuleOptions;
+    security: ModuleOptions
+  }
+  interface RuntimeConfig {
+    security: ModuleOptions,
+    private: { basicAuth: BasicAuth | false, [key: string]: any }
   }
 }
 
@@ -36,6 +40,10 @@ declare module 'nitropack' {
   }
 }
 
+export * from './types/index'
+export * from './types/headers'
+export * from './types/middlewares'
+
 export default defineNuxtModule<ModuleOptions>({
   meta: {
     name: 'nuxt-security',
@@ -63,7 +71,7 @@ export default defineNuxtModule<ModuleOptions>({
     nuxt.options.runtimeConfig.private = defu(
       nuxt.options.runtimeConfig.private,
       {
-        basicAuth: securityOptions.basicAuth as BasicAuth | boolean
+        basicAuth: securityOptions.basicAuth
       }
     )
 
@@ -72,7 +80,7 @@ export default defineNuxtModule<ModuleOptions>({
     nuxt.options.runtimeConfig.security = defu(
       nuxt.options.runtimeConfig.security,
       {
-        ...(securityOptions as unknown as RuntimeConfig['security'])
+        ...securityOptions
       }
     )
 
@@ -82,6 +90,11 @@ export default defineNuxtModule<ModuleOptions>({
 
     setSecurityRouteRules(nuxt, securityOptions)
 
+    // Remove Content-Security-Policy header in pre-rendered routes
+    // When pre-rendered, the CSP is provided via html <meta> instead
+    // If kept, this would block the site from rendering
+    removeCspHeaderForPrerenderedRoutes(nuxt)
+
     if (nuxt.options.security.requestSizeLimiter) {
       addServerHandler({
         handler: normalize(
@@ -113,7 +126,6 @@ export default defineNuxtModule<ModuleOptions>({
         )
       })
     }
-
     if (nuxt.options.security.nonce) {
       addServerHandler({
         handler: normalize(
@@ -197,6 +209,17 @@ const setSecurityRouteRules = (nuxt: Nuxt, securityOptions: ModuleOptions) => {
   }
 }
 
+const removeCspHeaderForPrerenderedRoutes = (nuxt: Nuxt) => {
+  const nitroRouteRules = nuxt.options.nitro.routeRules
+  for (const route in nitroRouteRules) {
+    const routeRules = nitroRouteRules[route]
+    if (routeRules.prerender || nuxt.options.nitro.static) {
+      routeRules.headers = routeRules.headers || {}
+      routeRules.headers['Content-Security-Policy'] = ''
+    }
+  }
+}
+
 const registerSecurityNitroPlugins = (
   nuxt: Nuxt,
   securityOptions: ModuleOptions
@@ -262,4 +285,48 @@ const registerSecurityNitroPlugins = (
       )
     }
   })
+
+  // Make sure our nitro plugins will be applied last
+  // After all other third-party modules that might have loaded their own nitro plugins
+  nuxt.hook('nitro:init', nitro => {
+    const securityPluginsPrefix = normalize(
+      fileURLToPath(
+        new URL('./runtime/nitro/plugins', import.meta.url)
+      )
+    )
+    // SSR: Reorder plugins in Nitro options
+    nitro.options.plugins.sort((a, b) => {
+      if (a.startsWith(securityPluginsPrefix)) {
+        if (b.startsWith(securityPluginsPrefix)) {
+          return 0
+        } else {
+          return 1
+        }
+      } else {
+        if (b.startsWith(securityPluginsPrefix)) {
+          return -1
+        } else {
+          return 0
+        }
+      }
+    })
+    // SSG: Reorder plugins in Nitro hook
+    nitro.hooks.hook('prerender:config', config => {
+      config.plugins?.sort((a, b) => {
+        if (a?.startsWith(securityPluginsPrefix)) {
+          if (b?.startsWith(securityPluginsPrefix)) {
+            return 0
+          } else {
+            return 1
+          }
+        } else {
+          if (b?.startsWith(securityPluginsPrefix)) {
+            return -1
+          } else {
+            return 0
+          }
+        }
+      })
+    })
+  })
 }

src/runtime/composables/nonce.ts

@@ -1,5 +1,5 @@
-import { useNuxtApp, useCookie } from '#imports'
+import { useNuxtApp } from '#imports'
 
 export function useNonce () {
-  return useNuxtApp().ssrContext?.event?.context.nonce ?? useCookie('nonce').value
+  return useNuxtApp().ssrContext?.event?.context.nonce
 }

src/runtime/nitro/plugins/01-hidePoweredBy.ts

@@ -1,9 +1,9 @@
-import type { NitroAppPlugin, RenderResponse } from 'nitropack'
+import { defineNitroPlugin } from '#imports'
 
-export default <NitroAppPlugin> function (nitro) {
-  nitro.hooks.hook('render:response', (response: RenderResponse) => {
-    if (response.headers['x-powered-by']) {
+export default defineNitroPlugin((nitroApp) => {
+  nitroApp.hooks.hook('render:response', (response) => {
+    if (response?.headers?.['x-powered-by']) {
       delete response.headers['x-powered-by']
     }
   })
-}
+})