Merge pull request #588 from ivanvakulov/origin/issue587

Enhance header filtering in getHeadersApplicableToAllResources function to exclude falsy values

Author: vejja

src/utils/headers.ts

@@ -177,6 +177,7 @@ export function getHeadersApplicableToAllResources(headers: SecurityHeaders) {
     Object.entries(headers)
     .filter(([key]) => appliesToAllResources(key as OptionKey))
     .map(([key, value]) => ([getNameFromKey(key as OptionKey), headerStringFromObject(key as OptionKey, value)]))
+    .filter(([, value]) => Boolean(value))
   )
   return Object.keys(applicableHeaders).length === 0 ? undefined : applicableHeaders
 }

test/fixtures/publicAssets/.nuxtrc

@@ -0,0 +1 @@
+imports.autoImport=true

test/fixtures/publicAssets/app.vue

@@ -0,0 +1,5 @@
+<template>
+  <div>
+    <NuxtPage />
+  </div>
+</template>

test/fixtures/publicAssets/nuxt.config.ts

@@ -0,0 +1,42 @@
+export default defineNuxtConfig({
+  modules: [
+    '../../../src/module'
+  ],
+  routeRules: {
+    '/test/**': {
+      security: {
+        headers: {
+          referrerPolicy: 'no-referrer',
+          strictTransportSecurity: {
+            maxAge: 15552000,
+            includeSubdomains: true,
+          },
+          xContentTypeOptions: 'nosniff',
+          xDownloadOptions: 'noopen',
+          xFrameOptions: 'SAMEORIGIN',
+          xPermittedCrossDomainPolicies: 'none',
+          xXSSProtection: '0',
+        }
+      }
+    }
+  },
+  security: {
+    headers: {
+      referrerPolicy: false,
+      strictTransportSecurity: false,
+      xContentTypeOptions: false,
+      xDownloadOptions: false,
+      xFrameOptions: false,
+      xPermittedCrossDomainPolicies: false,
+      xXSSProtection: false,
+      contentSecurityPolicy: {
+        'script-src': [
+          "'self'",
+          'https:',
+          "'unsafe-inline'",
+          "'strict-dynamic'"
+        ]
+      }
+    }
+  }
+})

test/fixtures/publicAssets/package.json

@@ -0,0 +1,5 @@
+{
+  "private": true,
+  "name": "basic",
+  "type": "module"
+}

test/fixtures/publicAssets/pages/index.vue

@@ -0,0 +1,3 @@
+<template>
+  <div>basic</div>
+</template>

test/fixtures/publicAssets/public/icon.png

@@ -0,0 +1,53 @@
+import { describe, it, expect } from 'vitest'
+import { fileURLToPath } from 'node:url'
+import { setup, fetch } from '@nuxt/test-utils'
+
+describe('[nuxt-security] Public Assets', async () => {
+  await setup({
+    rootDir: fileURLToPath(new URL('./fixtures/publicAssets', import.meta.url)),
+  })
+
+  it('does not set all-resources security headers when disabled in config', async () => {
+    const { headers } = await fetch('/icon.png')
+    expect(headers).toBeDefined()
+    
+    // Security headers that are always set on all resources
+    const rp = headers.get('referrer-policy')
+    const sts = headers.get('strict-transport-security')
+    const xcto = headers.get('x-content-type-options')
+    const xdo = headers.get('x-download-options')
+    const xfo = headers.get('x-frame-options')
+    const xpcdp = headers.get('x-permitted-cross-domain-policies')
+    const xxp = headers.get('x-xss-protection')
+
+    expect(rp).toBeNull()
+    expect(sts).toBeNull()
+    expect(xcto).toBeNull()
+    expect(xdo).toBeNull()
+    expect(xfo).toBeNull()
+    expect(xpcdp).toBeNull()
+    expect(xxp).toBeNull()
+  })
+  
+  it('sets security headers on routes when specified in routeRules', async () => {
+    const { headers } = await fetch('/test')
+    expect(headers).toBeDefined()
+    
+    // Security headers that are always set on all resources
+    const rp = headers.get('referrer-policy')
+    const sts = headers.get('strict-transport-security')
+    const xcto = headers.get('x-content-type-options')
+    const xdo = headers.get('x-download-options')
+    const xfo = headers.get('x-frame-options')
+    const xpcdp = headers.get('x-permitted-cross-domain-policies')
+    const xxp = headers.get('x-xss-protection')
+
+    expect(rp).toBe('no-referrer')
+    expect(sts).toBe('max-age=15552000; includeSubDomains;')
+    expect(xcto).toBe('nosniff')
+    expect(xdo).toBe('noopen')
+    expect(xfo).toBe('SAMEORIGIN')
+    expect(xpcdp).toBe('none')
+    expect(xxp).toBe('0')
+  })
+})