Support for Security Headers for resources other than HTML #434
Comments
|
We only apply Security Headers to HTML resources but I think you are right and it might be incorrect in this case. @Baroshem what's your opinion there? |
|
Hey guys, I think we could also apply it to other resources to satisfy security scanners. But at this moment I dont have an idea how to implement it so would need more time for that. Also, I think we could convert it to feature request because NuxtSecurity works for HTML by design right now but we can extend it to support more cases :) |
Baroshem
added
enhancement
Baroshem
changed the title
|
I think we could do it. We would need different hooks into @kryopix could you please send us the detailed output from your security scanner so that we understand better what we can improve ? |
|
@Baroshem this one was more difficult than I anticipated, but now available through #441
Makes no sense on CSP, Permissions and COEP/COOP I believe |
|
Sounds good to me! Thanks for the research and work on it! |
Hello,
I've noticed that all web security headers only appear in the HTML responses, but not in the Nuxt resources such as CSS, JS, etc. Public resources are also not considered by Nuxt-Security.
Security scanners are raising alarms because the necessary headers, such as X-Content-Type-Options: nosniff, are not set on the resources.
Currently, I've solved this issue with an additional proxy that sets these headers on all resources. However, I suspect this might be a bug in Nuxt-Security, but I'm not sure as I'm not very familiar with this area.
Is it intended that the security headers are only set in the HTML responses? Or is this a bug?
Thank you in advance for your help.
Best regards
The text was updated successfully, but these errors were encountered: