diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 374a7873..c1c33416 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
strategy:
matrix:
os: [ubuntu-latest]
- node: [16]
+ node: [18]
steps:
- uses: actions/setup-node@v3
@@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@master
- name: cache node_modules
- uses: actions/cache@v2
+ uses: actions/cache@v3
with:
path: node_modules
key: ${{ matrix.os }}-node-v${{ matrix.node }}-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/yarn.lock')) }}
diff --git a/docs/content/1.documentation/1.getting-started/2.configuration.md b/docs/content/1.documentation/1.getting-started/2.configuration.md
index a5593ab9..c2a994c2 100644
--- a/docs/content/1.documentation/1.getting-started/2.configuration.md
+++ b/docs/content/1.documentation/1.getting-started/2.configuration.md
@@ -25,8 +25,8 @@ interface ModuleOptions {
enabled: boolean;
csrf: CsrfOptions | false;
nonce: boolean;
- removeLoggers?: RemoveOptions | false;
- ssg?: Ssg;
+ removeLoggers: RemoveOptions | false;
+ ssg: Ssg | false;
sri: boolean;
}
```
diff --git a/docs/content/1.documentation/1.getting-started/3.usage.md b/docs/content/1.documentation/1.getting-started/3.usage.md
index 5aa8b387..03309366 100644
--- a/docs/content/1.documentation/1.getting-started/3.usage.md
+++ b/docs/content/1.documentation/1.getting-started/3.usage.md
@@ -41,12 +41,20 @@ export default defineNuxtConfig({
routeRules: {
'/custom-route': {
headers: {
- // certain header
+ 'Foo': 'Bar'
+ /* DO NOT DEFINE SECURITY HEADERS HERE
'Cross-Origin-Embedder-Policy': 'require-corp'
- },
+ */
+ }
- // certain middleware
security: {
+ // INSTEAD USE THE CUSTOM NUXT-SECURITY PROPERTY
+ headers: {
+ // certain header
+ crossOriginEmbedderPolicy: 'require-corp'
+ },
+
+ // certain middleware
rateLimiter: {
// options
}
@@ -57,12 +65,50 @@ export default defineNuxtConfig({
```
::alert{type="warning"}
-When using `routeRules`, make sure to:
-
-1. use the proper HTTP Header names like `Cross-Origin-Embedder-Policy` instead of `crossOriginEmbedderPolicy` and to not set the headers inside `security`. These headers are handled by Nuxt and you can check more [here](https://nuxt.com/docs/guide/concepts/rendering#hybrid-rendering).
-2. add middleware inside of `security` in certain route rule. This is a custom NuxtSecurity addition that does not exists in core Nuxt.
+When using `routeRules`, do not use the standard `headers` property to define Nuxt Security options.
+
+Instead, make sure to use the `security` property. This is a custom NuxtSecurity addition that does not exists in core Nuxt.
+
+If your application defines conflicting headers at both levels, the `security` property will take precedence.
::
+For more information on `routeRules` please see the [Nuxt documentation](https://nuxt.com/docs/guide/concepts/rendering#hybrid-rendering)
+
+## Nested route configuration
+
+Nuxt Security will recursively resolve nested routes using your `routeRules` definitions:
+
+```ts
+export default defineNuxtConfig({
+ // Global
+ security: {
+ headers: {
+ crossOriginEmbedderPolicy: 'require-corp' // By default, COEP is 'require-corp'
+ }
+ }
+ // Per route
+ routeRules: {
+ '/some-prefix/**': {
+ security: {
+ headers: {
+ crossOriginEmbedderPolicy: false // COEP disabled on all routes beginning with /some-prefix/
+ }
+ }
+ },
+ '/some-prefix/some-route': {
+ security: {
+ headers: {
+ crossOriginEmbedderPolicy: 'credentialless' // COEP is 'credentialless' on /some-prefix/some-route
+ }
+ }
+ }
+ }
+})
+```
+
+
+## Inline route configuration
+
You can also use route roules in pages like following:
```vue
@@ -72,10 +118,10 @@ You can also use route roules in pages like following: