Usage
Learn how to use headers and middleware both globally and per route.
Nuxt Security by default registers a set of global Nuxt routeRules that will make your application more secure by default. Both headers and middleware can be easily configured and even disabled when needed.
โน Read more about security headers here.
Global configuration
To override default behavior for Nuxt Security globally, follow this pattern:
export default defineNuxtConfig({ security: { headers: { // certain header xXSSProtection: '1', }, // certain middleware rateLimiter: { // options } }})Per route configuration
To enable per-route configuration, use the routeRules like following:
export default defineNuxtConfig({ routeRules: { '/custom-route': { headers: { // certain header 'Cross-Origin-Embedder-Policy': 'require-corp' }, // certain middleware security: { rateLimiter: { // options } } } }})When using
routeRules, make sure to:- use the proper HTTP Header names like
Cross-Origin-Embedder-Policyinstead ofcrossOriginEmbedderPolicyand to not set the headers insidesecurity. These headers are handled by Nuxt and you can check more here. - add middleware inside of
securityin certain route rule. This is a custom NuxtSecurity addition that does not exists in core Nuxt.
You can also use route roules in pages like following:
<template> <div>Hello from page</div></template><script setup lang="ts">defineRouteRules({ headers: { 'X-XSS-Protection': '1' }, security: { rateLimiter: { tokensPerInterval: 3, interval: 60000, }, }})</script>To enable this macro, add following configuration to your
nuxt.config.ts file:experimental: { inlineRouteRules: true},Disabling functionality
To disable certain middleware or headers, follow this pattern:
export default defineNuxtConfig({ // global security: { headers: { // certain header contentSecurityPolicy: false }, // certain middleware rateLimiter: false }, // per route routeRules: { '/custom-route': { security: { rateLimiter: false } } }})Table of Contents