Merge pull request #42 from StrangeRanger/dev

Implement Security Headers
StrangeRanger · Aug 19, 2024 · e375e84 · e375e84
2 parents ae3cd35 + e1f16ee
commit e375e84
Show file tree

Hide file tree

Showing 5 changed files with 202 additions and 255 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -9,6 +9,8 @@
         "pseudonymized",
         "subprocessor",
         "subprocessors",
-        "vueuse"
+        "vueuse",
+        "nosniff",
+        "SAMEORIGIN",
     ]
 }
diff --git a/eslint.config.mjs b/eslint.config.mjs
@@ -1,9 +1,10 @@
+// @ts-check
 import withNuxt from "./.nuxt/eslint.config.mjs";
 
 export default withNuxt({
   rules: {
     "vue/html-self-closing": [
-      "error",
+      "warn",
       {
         html: {
           void: "always", // Disable 'disallow self-closing on void elements' rule.

diff --git a/nuxt.config.ts b/nuxt.config.ts
@@ -7,13 +7,49 @@ export default defineNuxtConfig({
     transpile: ["vuetify"],
   },
   modules: [
+    "@nuxt/eslint",
+    "nuxt-security",
     (_options, nuxt) => {
       nuxt.hooks.hook("vite:extendConfig", (config) => {
         config.plugins.push(vuetify({ autoImport: true }));
       });
     },
-    "@nuxt/eslint",
   ],
+  security: {
+    headers: {
+      contentSecurityPolicy: {
+        "default-src": ["'self'", "https://analytics.hthompson.dev"],
+        "script-src": [
+          "'self'",
+          "https://analytics.hthompson.dev",
+          "https://files.hthompson.dev/scripts/tracking.js",
+          "https://static.cloudflareinsights.com",
+        ],
+        "style-src": ["'self'", "'unsafe-inline'"],
+        "img-src": ["'self'", "blob:"],
+        "base-uri": ["'none'"],
+        "object-src": ["'none'"],
+        "upgrade-insecure-requests": true
+      },
+      permissionsPolicy: {
+        "camera": [],
+        "display-capture": [],
+        "fullscreen": [],
+        "geolocation": [],
+        "microphone": [],
+        "web-share": [],
+      },
+      referrerPolicy: "strict-origin",
+      strictTransportSecurity: {
+        maxAge: 31536000,
+        includeSubdomains: true,
+        preload: true,
+      },
+      xContentTypeOptions: "nosniff",
+      xFrameOptions: "SAMEORIGIN",
+      xXSSProtection: "1; mode=block",
+    },
+  },
   vite: {
     vue: {
       template: {