2.4.0

What's Changed

• feat(rate limiter): #643 add new option for custom IP header name by @jelmerdemaat in #644
• Update STS header generation by @FBFunnyBunnyFB in #649
• Chore/2.4.0 by @Baroshem in #650

New Contributors

• @jelmerdemaat made their first contribution in #644
• @FBFunnyBunnyFB made their first contribution in #649

Full Changelog: v2.3.0...v2.4.0

2.3.0

What's Changed

• #624 - Update incorrect permissions policy docs by @OndrejSerek in #625
• feat(node)!: upgrade to v20 by @dargmuesli in #635
• test: update for most recent Nuxt v3 by @dargmuesli in #640
• fix(types): declare module nitropack/types by @dargmuesli in #634
• chore(deps)!: upgrade module builder to v1 by @dargmuesli in #636
• Chore/2.3.0 by @Baroshem in #641

New Contributors

• @OndrejSerek made their first contribution in #625

Full Changelog: v2.2.0...v2.3.0

v2.2.0

This version introduces a new feature to the rate limiter middleware by adding a whitelist option, along with several related changes to the codebase and documentation.

New Feature: Whitelist Option for Rate Limiter

• Rate Limiter Configuration:

  • Added a whiteList property to the RateLimiter type, allowing specific IP addresses to bypass rate limiting. (docs/content/3.middleware/1.rate-limiter.md, src/types/middlewares.ts, src/defaultConfig.ts) [1] [2] [3]
  • Updated documentation to include details about the new whiteList property. (docs/content/3.middleware/1.rate-limiter.md)

• Security Configuration:

  • Fixed an issue where securityConfig was not correctly initialized in the basic authentication middleware. (src/runtime/server/middleware/basicAuth.ts)

• Nonce Handling:

  • Improved the handling of nonces in CSP headers by ensuring existing nonces are replaced instead of duplicated. (src/runtime/nitro/plugins/40-cspSsrNonce.ts) [1] [2]

What's Changed

• Bug reports in repo: Use new template forms by @vejja in #578
• bug reports: update placeholders by @vejja in #579
• Update bug-report.yml by @vejja in #581
• docs(fix): readme license link by @IO-Fire in #591
• [ci skip] docs: update license year by @IO-Fire in #592
• Enhance header filtering in getHeadersApplicableToAllResources function to exclude falsy values by @ivanvakulov in #588
• Update GitHub question issue template with the correct link by @nicokempe in #600
• Fix/docs typo by @fahdarafat in #596
• fix(nonce): override user-defined nonce values with Nuxt Image by @GalacticHypernova in #593
• Add basic rate limiter whitelist (specific IPs only) by @zguig52 in #573
• Refactor basicAuth middleware to use runtime configuration correctly by @ivanvakulov in #599
• Chore/2.2.0 by @Baroshem in #607

New Contributors

• @IO-Fire made their first contribution in #591
• @ivanvakulov made their first contribution in #588
• @nicokempe made their first contribution in #600
• @fahdarafat made their first contribution in #596
• @zguig52 made their first contribution in #573

Full Changelog: v2.1.5...v2.2.0

v2.1.5

🚨Hotfix Release : disable minification by default

This release fixes an issue reported in #576 whereby Nuxt UI v3 styles could break.
The issue was related to minification settings.

This release also deploys the new version of the documentation pages for Nuxt Security
Enjoy reading 📖

What's Changed

• Chore/2.1.4 by @vejja in #568
• docs-#558: refactor docs new version by @Baroshem in #560
• fix(docs): broken links by @aryan02420 in #574
• fix(loggers): do not set minify option by default by @vejja in #577

New Contributors

• @aryan02420 made their first contribution in #574

Full Changelog: v2.1.4...v2.1.5

2.1.4

compare changes

🩹 Hotfix Release: SRI for PrimeVue

This release introduces specific support for Subresource Integrity with PrimeVue

❤️ Contributors

• Lawren [email protected]

What's Changed

• chore(release): 2.1.3 by @vejja in #566
• fix: #564 resolves issue with element.replace on non-string elements by @lawren in #567

Full Changelog: v2.1.3...v2.1.4

2.1.3

🩹 Hotfix Release: Nonce for PrimeVue

This release introduces specific support for Nonce with PrimeVue

❤️ Contributors

• Lawren [email protected]

What's Changed

• chore(release): 2.1.2 by @vejja in #563
• fix: #564 resolves issue with element.replace on non-string elements by @lawren in #565

New Contributors

• @lawren made their first contribution in #565

Full Changelog: v2.1.2...v2.1.3

2.1.2

🚨Hotfix release: re-enable console.logs in dev mode

This release prevents the removal of console.log statements by Nuxt-Security in development mode.

Nuxt Security helps you ship safer applications by removing console.log statements when the removeLoggers option is set to true, which is the default value.
However, removing console.log statements by default also in development mode is causing our users to search why their logs are disappearing.

With this release, removeLoggers only removes console.log statements in production builds.

What's Changed

• fix(core): do not remove loggers in dev mode by @vejja in #561

Full Changelog: v2.1.1...v2.1.2

2.1.1

🛠️ Hotfix Release : Node 18 Compatibility

This hotfix release re-introduces support for Node 18.
Node 18 is the minimum requirement for all Nuxt 3 applications.

Full Changelog: v2.1.0...v2.1.1

2.1.0

2.1.0 🎉

This is a new minor version where we focused mainly on fixing bugs but we also introduced Continous Releases by Stackblitz!

Enjoy!

👉 Changelog
compare changes

❤️ Contributors

• @vejja
• @dungsil made their first contribution in #530
• @DamianGlowala
• @Baroshem

What's Changed

• docs: fix broken links by @dungsil in #530
• fix: devtools being blocked in strict mode by @dungsil in #531
• feat(csp): trusted types by @vejja in #529
• fix(sri): incorrect cdnUrl resolution by @vejja in #536
• docs: mention correct default value for COOP by @DamianGlowala in #543
• feat(core): Vite native method to remove loggers by @vejja in #534
• fix(core): do not create empty header entries in routeRules by @vejja in #539
• feat(core): crypto compatibility for Workers by @vejja in #547
• feat(core): Continuous Releases by @vejja in #549
• Revert "feat(core): Continuous Releases" by @vejja in #550
• feat(core): Continuous Releases by @vejja in #551
• chore(deps): bump vite from 5.2.8 to 5.4.11 by @dependabot in #552
• Chore/2.1.0 by @Baroshem in #532

New Contributors

• @dungsil made their first contribution in #530

Full Changelog: v2.0.0...v2.1.0

2.0.0

2.0.0 🎉

This is the new major version of the NuxtSecurity module. After nine release candidates versions, we are ready to present you this new amazing version 🚀

With it, we have updated many things that you can check out below in comparison to version 1.4.0.

Enjoy!

New features

As a part of this new release, there are several new features.

A+ Score by default

Our new version delivers an A+ security rating by default on both the Mozilla Observatory and SecurityHeaders.com
Our documentation page is deployed with Nuxt-Security and is tested on these two scanners:

Performance optimization

We are considerably improving the performance of Nuxt Security with this release, by removing all dependency from cheerio.
Applications running in lightweight environments such as workers, will benefit from significantly reduced CPU and memory usage, and increased page delivery.

Many thanks to @GalacticHypernova for leading the full rewrite of our HTML parsing engine 💚

All Nuxt modes

Security headers are now deployed in all Nuxt rendering modes:

• Universal
• Client-only
• Hybrid

See #441 for details.

OWASP compliance

We are updating our default security settings to conform with the latest OWASP default values for headers.
Users benefit from these updating settings out of the box, with no changes required.

See #450 for details.

Full Static Support

We are significantly improving application security for static websites:

• If the site is deployed with a Nitro Preset, security headers are now delivered natively. Netlify and Vercel static presets have been fully tested.
• If the site is deployed in a custom environment (e.g. bare-metal server), we provide a new prerenderedHeaders build-time hook that exposes all security headers for complete control of your server's headers.

🗞️ Next steps

We are planning a new release soon with the Nuxt DevTools Tab support 🚀

👉 Changelog
compare changes

❤️ Contributors

• @vejja
• @moshetanzer
• @hlhc
• @Simlor
• @dargmuesli
• @GalacticHypernova
• @Shana-AE
• @P4sca1
• @ThibaultVlacich

What's Changed

• feat(core): use virtual file system for SRI by @vejja in #435
• feat(core): Security Headers for Pre-rendered Routes by @vejja in #441
• feat(docs): add security to docs by @vejja in #451
• perf: avoid cheerio in favor of regex by @GalacticHypernova in #404
• fix(csp): ensure charset meta at top of head by @vejja in #449
• fix(docs): update FAQ section on --host mode by @vejja in #456
• feat(core) : owasp default values by @vejja in #450
• fix(core): spread storage options by @vejja in #452
• fix: remove navigate-to csp directive by @GalacticHypernova in #457
• fix(types): allow middleware props to be optional when specified in global config by @GalacticHypernova in #458
• Chore/2.0.0 rc.1 by @Baroshem in #448
• Update package version by @vejja in #461
• fix(core): rollup error by @vejja in #463
• fix(headers): fix default-src owasp value by @vejja in #464
• fix(headers): add default for connect-src by @vejja in #465
• feat(headers): explicit directives by @vejja in #466
• fix(rc): bump package version by @vejja in #467
• Chore/2.0.0-rc.6 by @vejja in #468
• add per route csrf to docs by @moshetanzer in #471
• fix(csp): inline script/style have whitespace character by @hlhc in #478
• feat(core): introduce strict mode by @vejja in #483
• fix(docs): csp denial of pinceau styles runtime hydration by @vejja in #484
• Typo fix in docs by @Simlor in #486
• Indentation corrected by @Simlor in #490
• feat(csp): support style nonce in development by @dargmuesli in #475
• feat-#487: local dev with nuxt devtools by @Baroshem in #488
• feat(doc): introduce Nuxt Scripts as alternative to useScript by @vejja in #485
• Clarified when "require-corp" is the default value (documentation change) by @Simlor in #493
• fix: ensure RegExp[] origin can be passed to appSecurityOptions by @Shana-AE in #498
• docs: update information about Nuxt Image by @P4sca1 in #503
• feat: support server-only (NuxtIsland) components by @P4sca1 in #502
• fix: update to latest @nuxt/module-builder by @ThibaultVlacich in #516
• fix: augment @nuxt/schema rather than nuxt/schema by @ThibaultVlacich in #520
• feat: support using regular expressions as CORS origin by @P4sca1 in #509
• Chore/2.0.0 by @Baroshem in #492

New Contributors

• @moshetanzer made their first contribution in #471
• @hlhc made their first contribution in #478
• @Simlor made their first contribution in #486
• @Shana-AE made their first contribution in #498
• @P4sca1 made their first contribution in #503
• @ThibaultVlacich made their first contribution in #516