Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance header filtering in getHeadersApplicableToAllResources function to exclude falsy values #588

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/utils/headers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ export function getHeadersApplicableToAllResources(headers: SecurityHeaders) {
Object.entries(headers)
.filter(([key]) => appliesToAllResources(key as OptionKey))
.map(([key, value]) => ([getNameFromKey(key as OptionKey), headerStringFromObject(key as OptionKey, value)]))
.filter(([, value]) => Boolean(value))
)
return Object.keys(applicableHeaders).length === 0 ? undefined : applicableHeaders
}
Expand Down
1 change: 1 addition & 0 deletions test/fixtures/publicAssets/.nuxtrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
imports.autoImport=true
5 changes: 5 additions & 0 deletions test/fixtures/publicAssets/app.vue
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<template>
<div>
<NuxtPage />
</div>
</template>
42 changes: 42 additions & 0 deletions test/fixtures/publicAssets/nuxt.config.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
export default defineNuxtConfig({
modules: [
'../../../src/module'
],
routeRules: {
'/test/**': {
security: {
headers: {
referrerPolicy: 'no-referrer',
strictTransportSecurity: {
maxAge: 15552000,
includeSubdomains: true,
},
xContentTypeOptions: 'nosniff',
xDownloadOptions: 'noopen',
xFrameOptions: 'SAMEORIGIN',
xPermittedCrossDomainPolicies: 'none',
xXSSProtection: '0',
}
}
}
},
security: {
headers: {
referrerPolicy: false,
strictTransportSecurity: false,
xContentTypeOptions: false,
xDownloadOptions: false,
xFrameOptions: false,
xPermittedCrossDomainPolicies: false,
xXSSProtection: false,
contentSecurityPolicy: {
'script-src': [
"'self'",
'https:',
"'unsafe-inline'",
"'strict-dynamic'"
]
}
}
}
})
5 changes: 5 additions & 0 deletions test/fixtures/publicAssets/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"private": true,
"name": "basic",
"type": "module"
}
3 changes: 3 additions & 0 deletions test/fixtures/publicAssets/pages/index.vue
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<template>
<div>basic</div>
</template>
Binary file added test/fixtures/publicAssets/public/icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added test/fixtures/publicAssets/public/test/icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
53 changes: 53 additions & 0 deletions test/publicAssets.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
import { describe, it, expect } from 'vitest'
import { fileURLToPath } from 'node:url'
import { setup, fetch } from '@nuxt/test-utils'

describe('[nuxt-security] Public Assets', async () => {
await setup({
rootDir: fileURLToPath(new URL('./fixtures/publicAssets', import.meta.url)),
})

it('does not set all-resources security headers when disabled in config', async () => {
const { headers } = await fetch('/icon.png')
expect(headers).toBeDefined()

// Security headers that are always set on all resources
const rp = headers.get('referrer-policy')
const sts = headers.get('strict-transport-security')
const xcto = headers.get('x-content-type-options')
const xdo = headers.get('x-download-options')
const xfo = headers.get('x-frame-options')
const xpcdp = headers.get('x-permitted-cross-domain-policies')
const xxp = headers.get('x-xss-protection')

expect(rp).toBeNull()
expect(sts).toBeNull()
expect(xcto).toBeNull()
expect(xdo).toBeNull()
expect(xfo).toBeNull()
expect(xpcdp).toBeNull()
expect(xxp).toBeNull()
})

it('sets security headers on routes when specified in routeRules', async () => {
const { headers } = await fetch('/test')
expect(headers).toBeDefined()

// Security headers that are always set on all resources
const rp = headers.get('referrer-policy')
const sts = headers.get('strict-transport-security')
const xcto = headers.get('x-content-type-options')
const xdo = headers.get('x-download-options')
const xfo = headers.get('x-frame-options')
const xpcdp = headers.get('x-permitted-cross-domain-policies')
const xxp = headers.get('x-xss-protection')

expect(rp).toBe('no-referrer')
expect(sts).toBe('max-age=15552000; includeSubDomains;')
expect(xcto).toBe('nosniff')
expect(xdo).toBe('noopen')
expect(xfo).toBe('SAMEORIGIN')
expect(xpcdp).toBe('none')
expect(xxp).toBe('0')
})
})