Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security headers are included in response even when explicitly set to false #587

Open
ivanvakulov opened this issue Dec 17, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@ivanvakulov
Copy link

Environment

- Operating System: Darwin
- Node Version:     v22.7.0
- Nuxt Version:     3.14.1592
- CLI Version:      3.16.0
- Nitro Version:    2.10.4
- Package Manager:  [email protected]
- Builder:          -
- User Config:      default
- Runtime Modules:  [email protected]
- Build Modules:    -

Nuxt Security Version

2.1.5

Default setup used?

No, the bug happens only when I set custom values for the security option

Security options

export default defineNuxtConfig({
  security: {
    headers: {
      referrerPolicy: false,
      strictTransportSecurity: false,
      xContentTypeOptions: false,
      xDownloadOptions: false,
      xFrameOptions: false,
      xPermittedCrossDomainPolicies: false,
      xXSSProtection: false,
      contentSecurityPolicy: false,
      permissionsPolicy: false,
      crossOriginEmbedderPolicy: false,
      crossOriginOpenerPolicy: false,
      crossOriginResourcePolicy: false,
      originAgentCluster: false,
      xDNSPrefetchControl: false,
    },
    rateLimiter: false,
    requestSizeLimiter: false,
    xssValidator: false,
    sri: false,
  }
})

Reproduction

Online reproduction: https://stackblitz.com/edit/nuxt-starter-khtpn4ga
To reproduce the issue:

  1. Build the application:

yarn build

  1. Start the preview server:

yarn preview

  1. Inspect the response headers for:

The main HTML document (headers correctly excluded)
Any static file (like .js or .css) where you'll see empty headers being applied
Note: The issue is only visible in production build (preview mode), not in development mode.

Description

When security headers are explicitly set to false in the configuration, they are still being included in the response headers but with empty values. This issue specifically affects headers that are processed by appliesToAllResources function and occurs:

  1. For static files (not the main document/HTML file)
  2. Only for the following headers (as defined in appliesToAllResources):
  • referrerPolicy
  • strictTransportSecurity
  • xContentTypeOptions
  • xDownloadOptions
  • xFrameOptions
  • xPermittedCrossDomainPolicies
  • xXSSProtection

Additional context

Image

Logs

@ivanvakulov ivanvakulov added the bug Something isn't working label Dec 17, 2024
@ivanvakulov
Copy link
Author

ivanvakulov commented Dec 17, 2024

PR with a fix - #588

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant