vejja

I think we could do it. We would need different hooks into `render:response` and `beforeResponse`. Let's start by finding out which headers would need to be applied to all resources,...

@Baroshem this one was more difficult than I anticipated, but now available through #441 Only a subset of headers are concerned: - `referrerPolicy` - `strictTransportSecurity` - `xContentTypeOptions` - `xDownloadOptions` -...

@Baroshem could you please check the new default values ? I copied them from https://owasp.org/www-project-secure-headers/#configuration-proposal but there are 2 things you may want to verify: - there are other recommended...

> Hey there! > > Sorry for no contact from my side as I was quite budy recently. > > I would update every property do that we will be...

After in-depth review, I think it is better to not make further changes: - CSP `block-all-mixed-content` is marked as obsolete, MDN recommends not to use it. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content - `Clear-Site-Data` header...

Hi @moshetanzer This could be related to the default security setup for ‘upgrade-insecure-requests’ when serving with —host without a secure SSL connection Can you try our recommended setup for —host...

Wonderful ! Looking forward to RC release 🎉🎉🎉

Hi @GalacticHypernova We have a typescript error on `type OptionalThrowError = Pick;` which prevents the release. > src/types/module.ts(9,38): error TS2344: Type 'string' does not satisfy the constraint 'keyof T'. Would...

After review, I am setting all fields optional and falling back to default config values in nested route rules. This is because Nuxt internally forces our NuxtSecurityRouteRules fields to be...

Docs now deployed with security headers - securityheaders.com score: A+ - mozilla observatory score: A+