nuxt-security
nuxt-security copied to clipboard
Baroshem
Invalid script-src 'nonce-{{nonce}}' on redirect response
Environment
- Operating System: Linux
- Node Version: v18.20.3
- Nuxt Version: 3.15.4
- CLI Version: 3.21.1
- Nitro Version: 2.10.4
- Package Manager: [email protected]
- Builder: -
- User Config: compatibilityDate, devtools, modules
- Runtime Modules: [email protected]
- Build Modules: -
Nuxt Security Version
v.2.1.5
Default setup used?
Yes, the bug happens even if the security option is not customized
Security options
Reproduction
- run https://stackblitz.com/edit/nuxt-starter-bhks8zgr?file=pages%2Findex.vue,nuxt.config.ts
- open index page in browser
- inspect initial request and redirected request in dev tools
Description
Issue:
- responses with redirect get a
script-src 'strict-dynamic' 'nonce-{{nonce}}';header, where the{{nonce}}placeholder doesn't get filled - this pops up in some security scans as an invalid value
Suggestion: For such redirect responses which don't have real HTML content
- either fill the template like with any other pages
- or send a very strict CSP header like
default-src 'none';
I was able to work around this by using the following hook, but it would be nice if nuxt-security would handle this by default.
import {
MOVED_PERMANENTLY,
MOVED_TEMPORARILY,
PERMANENT_REDIRECT,
TEMPORARY_REDIRECT,
} from "http-status-codes";
nitroApp.hooks.hook("beforeResponse", (event) => {
if (
[
MOVED_PERMANENTLY,
MOVED_TEMPORARILY,
PERMANENT_REDIRECT,
TEMPORARY_REDIRECT,
].includes(event.node.res.statusCode)
) {
setHeader(event, "content-security-policy", "default-src 'none';");
}
});
Thanks!
Additional context
No response
Logs
