2.0.0 🎉
This is the new major version of the NuxtSecurity module. After nine release candidates versions, we are ready to present you this new amazing version 🚀
With it, we have updated many things that you can check out below in comparison to version 1.4.0.
Enjoy!
New features
As a part of this new release, there are several new features.
A+ Score by default
Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com
Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:
Performance optimization
We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio.
Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.
Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine 💚
All Nuxt modes
Security headers are now deployed in all Nuxt rendering modes:
- Universal
- Client-only
- Hybrid
See #441 for details.
OWASP compliance
We are updating our default security settings to conform with the latest OWASP default values for headers.
Users benefit from these updating settings out of the box, with no changes required.
See #450 for details.
Full Static Support
We are significantly improving application security for static websites:
- If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
- If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new
prerenderedHeadersbuild-time hook that exposes all security headers for complete control of your server's headers.
🗞️ Next steps
We are planning a new release soon with the Nuxt DevTools Tab support 🚀
👉 Changelog
compare changes
❤️ Contributors
What's Changed
- feat(core): use virtual file system for SRI by @vejja in #435
- feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
- feat(docs): add security to docs by @vejja in #451
- perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
- fix(csp): ensure charset meta at top of head by @vejja in #449
- fix(docs): update FAQ section on
--hostmode by @vejja in #456 - feat(core) : owasp default values by @vejja in #450
- fix(core): spread storage options by @vejja in #452
- fix: remove navigate-to csp directive by @GalacticHypernova in #457
- fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
- Chore/2.0.0 rc.1 by @Baroshem in #448
- Update package version by @vejja in #461
- fix(core): rollup error by @vejja in #463
- fix(headers): fix default-src owasp value by @vejja in #464
- fix(headers): add default for connect-src by @vejja in #465
- feat(headers): explicit directives by @vejja in #466
- fix(rc): bump package version by @vejja in #467
- Chore/2.0.0-rc.6 by @vejja in #468
- add per route csrf to docs by @moshetanzer in #471
- fix(csp): inline script/style have whitespace character by @hlhc in #478
- feat(core): introduce
strictmode by @vejja in #483 - fix(docs): csp denial of pinceau styles runtime hydration by @vejja in #484
- Typo fix in docs by @Simlor in #486
- Indentation corrected by @Simlor in #490
- feat(csp): support style nonce in development by @dargmuesli in #475
- feat-#487: local dev with nuxt devtools by @Baroshem in #488
- feat(doc): introduce Nuxt Scripts as alternative to
useScriptby @vejja in #485 - Clarified when "require-corp" is the default value (documentation change) by @Simlor in #493
- fix: ensure RegExp[] origin can be passed to appSecurityOptions by @Shana-AE in #498
- docs: update information about Nuxt Image by @P4sca1 in #503
- feat: support server-only (NuxtIsland) components by @P4sca1 in #502
- fix: update to latest @nuxt/module-builder by @ThibaultVlacich in #516
- fix: augment @nuxt/schema rather than nuxt/schema by @ThibaultVlacich in #520
- feat: support using regular expressions as CORS origin by @P4sca1 in #509
- Chore/2.0.0 by @Baroshem in #492
