{"id":17310,"library":"nuxt-security","title":"Nuxt Security Module","description":"The Nuxt Security module is a robust solution for enhancing the security posture of Nuxt 3 applications by automatically configuring HTTP headers and server middleware according to OWASP principles. It provides features such as Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-XSS-Protection, Referrer-Policy, and Permissions-Policy, alongside runtime protections like request size and rate limiters, Cross-Site Scripting (XSS) validation, and Cross-Origin Resource Sharing (CORS) support. The module also offers optional features like basic authentication, allowed HTTP methods control, and CSRF protection. Currently stable at version 2.5.1, `nuxt-security` maintains a rapid release cycle, with frequent hotfixes and minor versions addressing issues, introducing new features, and keeping pace with Nuxt 3 updates. Its primary differentiator is the comprehensive, opinionated, and automatic application of common security best practices without extensive manual configuration. It focuses on server-side protections and integration with Nuxt's SSR/SSG capabilities.","status":"active","version":"2.5.1","language":"javascript","source_language":"en","source_url":"https://github.com/Baroshem/nuxt-security","tags":["javascript","nuxt","vue","security","owasp","helmet","basic-auth","rate-limit","xss"],"install":[{"cmd":"npm install nuxt-security","lang":"bash","label":"npm"},{"cmd":"yarn add nuxt-security","lang":"bash","label":"yarn"},{"cmd":"pnpm add nuxt-security","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Peer dependency; this is a Nuxt module and requires Nuxt 3.x or newer (4.x) to function.","package":"nuxt","optional":false},{"reason":"Runtime environment; requires Node.js >=20.0.0 since v2.3.0.","package":"node","optional":false}],"imports":[{"note":"Nuxt modules are added as strings to the `modules` array in `nuxt.config.ts`, not imported as direct JavaScript symbols.","wrong":"import { nuxtSecurity } from 'nuxt-security'","symbol":"Module registration (string)","correct":"export default defineNuxtConfig({\n modules: [\n 'nuxt-security'\n ]\n})"},{"note":"This type provides full IntelliSense and type checking for the `security` configuration object in `nuxt.config.ts`.","wrong":"import { ModuleOptions } from 'nuxt-security'","symbol":"ModuleOptions","correct":"import type { ModuleOptions } from 'nuxt-security'"},{"note":"Specific types for individual security features like `BasicAuth`, `CSPConfig`, or `RateLimiter` can be imported for more granular type-safety.","wrong":"import BasicAuth from 'nuxt-security/types/basic-auth'","symbol":"BasicAuth","correct":"import type { BasicAuth } from 'nuxt-security'"}],"quickstart":{"code":"import { defineNuxtConfig } from 'nuxt';\nimport type { ModuleOptions } from 'nuxt-security';\n\nconst securityConfig: ModuleOptions = {\n headers: {\n contentSecurityPolicy: {\n value: {\n 'default-src': [\"'self'\", \"https://cdn.example.com\"],\n 'script-src': [\"'self'\", \"'unsafe-inline'\", \"'unsafe-eval'\", \"https://cdn.example.com\"],\n 'style-src': [\"'self'\", \"'unsafe-inline'\", \"https://cdn.example.com\"]\n },\n route: '/**'\n },\n xXSSProtection: { value: '1; mode=block', route: '/**' },\n noSniff: { value: true, route: '/**' }\n },\n rateLimiter: {\n value: {\n tokens: 10,\n interval: 30000,\n headers: true,\n driver: {\n name: 'lru-cache',\n options: { max: 1000, ttl: 60000 }\n },\n statusCode: 429,\n statusMessage: 'Too Many Requests'\n },\n route: '/api/**'\n },\n allowedHTTPMethods: {\n value: ['GET', 'POST', 'PUT', 'DELETE'],\n route: '/api/**'\n },\n xssValidator: {\n value: true,\n route: '/forms/**'\n },\n basicAuth: {\n value: {\n name: process.env.BASIC_AUTH_USERNAME ?? 'admin',\n pass: process.env.BASIC_AUTH_PASSWORD ?? 'password',\n enabled: true,\n message: 'Authentication Required'\n },\n route: '/admin/**'\n }\n};\n\nexport default defineNuxtConfig({\n modules: [\n 'nuxt-security'\n ],\n security: securityConfig\n});","lang":"typescript","description":"This configuration enables various security features for a Nuxt application, including a strict Content Security Policy, XSS protection, rate limiting for all API routes, restricted HTTP methods, XSS validation for form submissions, and basic authentication for an '/admin' section. Remember to set `BASIC_AUTH_USERNAME` and `BASIC_AUTH_PASSWORD` environment variables for basic authentication."},"warnings":[{"fix":"Upgrade your Node.js environment to version 20 or higher using a Node Version Manager (e.g., nvm, fnm) or update your deployment platform's Node.js version.","message":"The module upgraded its minimum Node.js version requirement to 20.0.0 in v2.3.0. Applications deployed with older Node.js versions will encounter runtime errors or fail to build.","severity":"breaking","affected_versions":">=2.3.0"},{"fix":"Upgrade to v2.1.2 or newer. If staying on an older version, explicitly set `removeLoggers: { value: false, route: '/**' }` in your development `nuxt.config.ts`.","message":"Prior to v2.1.2, `console.log` statements were removed in development mode by default if the `removeLoggers` option was implicitly or explicitly enabled, leading to unexpected debugging challenges. This behavior was changed in a hotfix.","severity":"gotcha","affected_versions":"<2.1.2"},{"fix":"Develop your CSP iteratively and test thoroughly across all environments (development, production, SSR, SSG). Utilize CSP reporting mechanisms to identify violations, and leverage `nonce` or `hash` attributes for dynamically generated content where 'unsafe-inline' is not desirable.","message":"Incorrectly configured Content Security Policy (CSP) can severely restrict a web application, blocking legitimate scripts, styles, images, and other resources. This often results in a broken user interface or functionality, especially in SSR/SSG contexts where nonces or hashes might be required.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Test the XSS validator rigorously with various expected user inputs. Consider applying XSS validation only to specific routes (e.g., `/forms/**`) where user-generated content is expected, or disable it entirely for routes where rich content is intentionally permitted and sanitized via other means.","message":"The XSS validator can be overly aggressive and block legitimate user input, particularly in applications that handle rich text, HTML snippets, or other forms of complex data. This can lead to a poor user experience or data loss.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Configure rate limiter `tokens` and `interval` values based on a realistic assessment of expected traffic patterns and client behavior. Utilize the `whiteList` option (introduced in v2.2.0) to exempt known, high-volume clients or internal services from rate limiting.","message":"Aggressive rate limiting configurations can unexpectedly block legitimate API clients, bots, or integrations, leading to service disruption or inaccessible features. This is particularly problematic for applications with diverse client bases or sudden spikes in legitimate traffic.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Run `npx nuxi@latest module add security` or `npm install nuxt-security` to ensure the package is installed. Verify that `'nuxt-security'` is present in the `modules` array within your `nuxt.config.ts`.","cause":"The module is not installed, or it's not correctly added to the `modules` array in `nuxt.config.ts`, or the type declarations are not properly resolved.","error":"Cannot find module 'nuxt-security' or its corresponding type declarations."},{"fix":"Review the `security.headers.contentSecurityPolicy` configuration in `nuxt.config.ts`. Add the problematic URL's domain to the `script-src` directive, or consider using `'unsafe-inline'`/`'unsafe-eval'` (with caution) or `nonce`/`hash` attributes if dynamic inline scripts are necessary.","cause":"Your Content Security Policy (CSP) headers, configured by `nuxt-security`, are preventing a script from loading because its origin or attributes do not match the allowed directives.","error":"Refused to load the script '' because it violates the following Content Security Policy directive: \"script-src\"."},{"fix":"Check the `security.allowedHTTPMethods` configuration in `nuxt.config.ts` for the route in question. Ensure that the HTTP method used by your client is included in the `value` array. Adjust the configuration or client request method as appropriate.","cause":"The HTTP request used a method (e.g., PUT) that is not permitted for the specific route by the `security.allowedHTTPMethods` configuration.","error":"405 Method Not Allowed"},{"fix":"Increase the `tokens` (maximum requests) or `interval` (time window) values in your `security.rateLimiter` configuration. Alternatively, if the client is legitimate and requires higher limits, consider adding its IP address to the `whiteList` option (if applicable).","cause":"The rate limiter middleware, configured via `security.rateLimiter`, has detected that too many requests originated from the same client within the defined interval.","error":"429 Too Many Requests"},{"fix":"Upgrade your local and deployment Node.js version to 20 or higher. Use a Node Version Manager like `nvm` or `fnm` to manage different Node.js versions efficiently.","cause":"Your Node.js environment does not meet the minimum version requirement (Node.js >=20.0.0) specified by `nuxt-security` since version 2.3.0.","error":"ERR_PNPM_PEER_DEP_ISSUES: Peer dependencies error (or similar npm/yarn error related to Node.js version)"}],"ecosystem":"npm","meta_description":null}