nuxt-security icon indicating copy to clipboard operation
nuxt-security copied to clipboard
verified publisher icon Baroshem

Support for Security Headers for resources other than HTML

Open kryopix opened this issue 1 year ago • 5 comments

Hello,

I've noticed that all web security headers only appear in the HTML responses, but not in the Nuxt resources such as CSS, JS, etc. Public resources are also not considered by Nuxt-Security.

Security scanners are raising alarms because the necessary headers, such as X-Content-Type-Options: nosniff, are not set on the resources.

Currently, I've solved this issue with an additional proxy that sets these headers on all resources. However, I suspect this might be a bug in Nuxt-Security, but I'm not sure as I'm not very familiar with this area.

Is it intended that the security headers are only set in the HTML responses? Or is this a bug?

Thank you in advance for your help.

Best regards

kryopix avatar Apr 25 '24 09:04 kryopix

We only apply Security Headers to HTML resources but I think you are right and it might be incorrect in this case.

@Baroshem what's your opinion there? Shall we apply some headers only to HTML resources (e.g. contentSecurityPolicy, crossOriginEmbedderPolicy, permissionsPolicy), and others to all resources (e.g. xContentTypeOptions, strictTransportSecurity) ?

vejja avatar Apr 25 '24 09:04 vejja

Hey guys,

I think we could also apply it to other resources to satisfy security scanners. But at this moment I dont have an idea how to implement it so would need more time for that.

Also, I think we could convert it to feature request because NuxtSecurity works for HTML by design right now but we can extend it to support more cases :)

Baroshem avatar Apr 25 '24 13:04 Baroshem

I think we could do it. We would need different hooks into render:response and beforeResponse. Let's start by finding out which headers would need to be applied to all resources, WDYT ?

@kryopix could you please send us the detailed output from your security scanner so that we understand better what we can improve ?

vejja avatar Apr 25 '24 14:04 vejja

@Baroshem this one was more difficult than I anticipated, but now available through #441 Only a subset of headers are concerned:

  • referrerPolicy
  • strictTransportSecurity
  • xContentTypeOptions
  • xDownloadOptions
  • xFrameOptions
  • xPermittedCrossDomainPolicies
  • xXSSProtection

Makes no sense on CSP, Permissions and COEP/COOP I believe Comments welcome as always Cheers

vejja avatar May 05 '24 23:05 vejja

Sounds good to me! Thanks for the research and work on it!

Baroshem avatar May 15 '24 15:05 Baroshem