-
Notifications
You must be signed in to change notification settings - Fork 57
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #298 from huang-julien/feat/runtime-headers
feat: allow configuring headers in runtime
- Loading branch information
Showing
18 changed files
with
215 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
import { defineEventHandler } from "#imports" | ||
|
||
export default defineEventHandler((event) => { | ||
return { | ||
csp: getResponseHeader(event, 'Content-Security-Policy') | ||
} | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
|
||
export default defineNitroPlugin((nitroApp) => { | ||
nitroApp.hooks.hook('nuxt-security:ready', () => { | ||
nitroApp.hooks.callHook('nuxt-security:headers', | ||
{ | ||
route: '/api/runtime-hooks', | ||
headers: { | ||
contentSecurityPolicy: { | ||
"script-src": ["'self'", "'unsafe-inline'"], | ||
} | ||
} | ||
}) | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
import { getNameFromKey, headerStringFromObject} from "../../utils/headers" | ||
import { createRouter} from "radix3" | ||
import { defineNitroPlugin } from '#imports' | ||
import { OptionKey } from "~/src/module" | ||
|
||
export default defineNitroPlugin((nitroApp) => { | ||
const router = createRouter() | ||
|
||
nitroApp.hooks.hook('nuxt-security:headers', ({route, headers: headersConfig}) => { | ||
const headers: Record<string, string |false > = {} | ||
|
||
for (const [header, headerOptions] of Object.entries(headersConfig)) { | ||
const headerName = getNameFromKey(header as OptionKey) | ||
if(headerName) { | ||
const value = headerStringFromObject(header as OptionKey, headerOptions) | ||
if(value) { | ||
headers[headerName] = value | ||
} else { | ||
delete headers[headerName] | ||
} | ||
} | ||
} | ||
|
||
router.insert(route, headers) | ||
}) | ||
|
||
nitroApp.hooks.hook('request', (event) => { | ||
event.context.security = event.context.security || {} | ||
event.context.security.headers = router.lookup(event.path) | ||
}) | ||
|
||
nitroApp.hooks.callHook('nuxt-security:ready') | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
import { defineEventHandler, setHeader, removeResponseHeader } from '#imports' | ||
|
||
export default defineEventHandler((event) => { | ||
if(event.context.security.headers) { | ||
Object.entries(event.context.security.headers).forEach(([header, value]) => { | ||
if (value === false) { | ||
removeResponseHeader(event, header) | ||
} else { | ||
setHeader(event, header, value) | ||
} | ||
}) | ||
} | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
imports.autoImport=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<template> | ||
<div> | ||
<NuxtPage /> | ||
</div> | ||
</template> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import MyModule from '../../../src/module' | ||
|
||
export default defineNuxtConfig({ | ||
modules: [ | ||
MyModule | ||
], | ||
routeRules:{ | ||
'/test': { | ||
headers: { | ||
'x-xss-protection': '1', | ||
} | ||
} | ||
}, | ||
security: { | ||
nonce: false, | ||
runtimeHooks: true, | ||
headers: { | ||
contentSecurityPolicy: false | ||
} | ||
} | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"private": true, | ||
"name": "runtime-hooks", | ||
"type": "module" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
<template> | ||
<div>runtime hooks</div> | ||
</template> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
import { getResponseHeader } from "h3" | ||
|
||
export default defineEventHandler((event) => { | ||
return { | ||
csp: getResponseHeader(event, 'Content-Security-Policy') | ||
} | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
export default defineNitroPlugin((nitroApp) => { | ||
nitroApp.hooks.hook('nuxt-security:ready', () => { | ||
nitroApp.hooks.callHook('nuxt-security:headers', { | ||
route: '/api/runtime-hooks', headers: { | ||
contentSecurityPolicy: { | ||
"script-src": ["'self'", "'unsafe-inline'", '*.azure.com'], | ||
} | ||
} | ||
}) | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
import { fileURLToPath } from 'node:url' | ||
import { describe, it, expect } from 'vitest' | ||
import { setup, fetch } from '@nuxt/test-utils' | ||
|
||
await setup({ | ||
rootDir: fileURLToPath(new URL('./fixtures/runtime-hooks', import.meta.url)) | ||
}) | ||
|
||
describe('[nuxt-security] runtime hooks', () => { | ||
it('expect csp to be set by a runtime hook', async () => { | ||
const res = await fetch('/api/runtime-hooks') | ||
expect(await res.json()).toMatchInlineSnapshot(` | ||
{ | ||
"csp": "script-src 'self' 'unsafe-inline' *.azure.com;", | ||
} | ||
`) | ||
expect(res.headers.get('Content-Security-Policy')).toMatchInlineSnapshot('"script-src \'self\' \'unsafe-inline\' *.azure.com;"') | ||
}) | ||
}) |