Baroshem/nuxt-security v1.0.0-rc.3

1.0.0-rc.3

on GitHub

1.0.0-rc.3 is the next release candidate

🗞️ Next steps

We are planning to release one or two more release candidate versions with bugfixes before a stable 1.0.0 version will be released.

✅ Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have prepared migration guide for you 😉

In the previous version, nonce could be either an object with a type NonceOptions or false.

export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}

Now it is only a boolean value:

export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}

This change was necessary to resolve security vulnerability for nonce reported by vejja #257. Read more about the new usage of nonce in this module https://nuxt-security.vercel.app/documentation/headers/csp#nonce

👉 Changelog
compare changes

🚀 Enhancements

• Add credentialless value to Cross-Origin-Embedder-Policy header
• Export configuration type
• Improve CSP Compliance
• ensure csp plugins are added last
• Extend CSP support of SSG mode
• use cheerio HTML parser for CSP

🩹 Fixes

• Basic Auth Configuration for Multiple Paths
• Nonce value is injected in all pre-rendered pages if the nonce option is set to true

📖 Documentation

• Clarify rateLimiter interval property

🏡 Chore

• Improve TS config

⚠️ Breaking Changes

• CSP Compliance

❤️ Contributors

• Espen Solli Grande (@espensgr)
• vejja (@vejja)
• Tristan (@Tristan971)
• Jonas Thelemann (@dargmuesli)
• nsratha (@rathahin)

🏋️‍♂️ New Contributors

• @espensgr made their first contribution in #261
• @vejja made their first contribution in #245
• @rathahin made their first contribution in #267