initial commit

.editorconfig

@@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_size = 2
+indent_style = space
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false

.eslintignore

@@ -0,0 +1,2 @@
+dist
+node_modules

.eslintrc

@@ -0,0 +1,10 @@
+{
+  "extends": [
+    "@nuxtjs/eslint-config-typescript"
+  ],
+  "rules": {
+    "@typescript-eslint/no-unused-vars": [
+      "off"
+    ]
+  }
+}

.gitignore

@@ -0,0 +1,51 @@
+# Dependencies
+node_modules
+
+# Logs
+*.log*
+
+# Temp directories
+.temp
+.tmp
+.cache
+
+# Yarn
+**/.yarn/cache
+**/.yarn/*state*
+
+# Generated dirs
+dist
+
+# Nuxt
+.nuxt
+.output
+.vercel_build_output
+.build-*
+.env
+.netlify
+
+# Env
+.env
+
+# Testing
+reports
+coverage
+*.lcov
+.nyc_output
+
+# VSCode
+.vscode
+
+# Intellij idea
+*.iml
+.idea
+
+# OSX
+.DS_Store
+.AppleDouble
+.LSOverride
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk

.nuxtrc

@@ -0,0 +1 @@
+imports.autoImport=false

README.md

@@ -0,0 +1,65 @@
+# nuxt-helm
+
+This module is a H3/Nuxt version of the popular Express Middleware [helmet](https://github.com/helmetjs/helmet). `nuxt-helm` automatically sets the same response headers for H3 events as a global Nuxt middleware.
+
+## Usage
+
+```sh
+yarn add nuxt-helm # yarn
+npm i nuxt-helm # npm
+```
+
+```javascript
+// nuxt.config.js
+
+{
+  modules: [
+    "nuxt-helm",
+  ],
+}
+```
+
+The module will configure for you several response headers with the values recommended by Helmet.
+
+If you wish to modify them you can do so from the configuration:
+
+```js
+ helm: {
+    crossOriginResourcePolicy: string;
+    crossOriginOpenerPolicy: string;
+    crossOriginEmbedderPolicy: string;
+    contentSecurityPolicy: string;
+    originAgentCluster: string;
+    referrerPolicy: string;
+    strictTransportSecurity: string;
+    xContentTypeOptions: string;
+    xDNSPrefetchControl: string;
+    xDownloadOptions: string;
+    xFrameOptions: string;
+    xPermittedCrossDomainPolicies: string;
+    xXSSProtection: number;
+  }
+```
+
+The default values are as follows:
+
+```js
+  crossOriginResourcePolicy: "same-origin",
+  crossOriginOpenerPolicy: "same-origin",
+  crossOriginEmbedderPolicy: "require-corp",
+  contentSecurityPolicy: "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
+  originAgentCluster: '?1',
+  referrerPolicy: 'no-referrer',
+  strictTransportSecurity: 'max-age=15552000; includeSubDomains',
+  xContentTypeOptions: 'nosniff',
+  xDNSPrefetchControl: 'off',
+  xDownloadOptions: 'noopen',
+  xFrameOptions: 'SAMEORIGIN',
+  xPermittedCrossDomainPolicies: 'none',
+  xXSSProtection: 0
+```
+
+## Development
+
+- Run `npm run dev:prepare` to generate type stubs.
+- Use `npm run dev` to start [playground](./playground) in development mode.

package.json

@@ -0,0 +1,33 @@
+{
+  "name": "nuxt-helm",
+  "version": "0.0.1",
+  "license": "MIT",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/module.mjs",
+      "require": "./dist/module.cjs"
+    }
+  },
+  "main": "./dist/module.cjs",
+  "types": "./dist/types.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "prepack": "nuxt-module-build",
+    "dev": "nuxi dev playground",
+    "dev:build": "nuxi build playground",
+    "dev:prepare": "nuxt-module-build --stub && nuxi prepare playground"
+  },
+  "dependencies": {
+    "@nuxt/kit": "^3.0.0-rc.11"
+  },
+  "devDependencies": {
+    "@nuxt/module-builder": "latest",
+    "@nuxt/schema": "^3.0.0-rc.11",
+    "@nuxtjs/eslint-config-typescript": "latest",
+    "eslint": "latest",
+    "nuxt": "^3.0.0-rc.11"
+  }
+}

playground/app.vue

@@ -0,0 +1,6 @@
+<template>
+  <NuxtPage />
+</template>
+
+<script setup>
+</script>

playground/nuxt.config.ts

@@ -0,0 +1,13 @@
+import { defineNuxtConfig } from 'nuxt/config'
+import MyModule from '..'
+
+export default defineNuxtConfig({
+  modules: [
+    MyModule
+  ],
+  helm: {
+    crossOriginResourcePolicy: 'same-origin',
+    crossOriginOpenerPolicy: 'same-origin',
+    // Other headers
+  }
+})

playground/package.json

@@ -0,0 +1,4 @@
+{
+  "private": true,
+  "name": "my-module-playground"
+}

playground/pages/about.vue

@@ -0,0 +1,3 @@
+<template>
+  <div>About</div>
+</template>

playground/pages/index.vue

@@ -0,0 +1,3 @@
+<template>
+  Home
+</template>

src/module.ts

@@ -0,0 +1,50 @@
+import { resolve } from 'path'
+import { fileURLToPath } from 'url'
+import { defineNuxtModule, addServerHandler } from '@nuxt/kit'
+import defu from 'defu'
+
+export interface ModuleOptions {
+  crossOriginResourcePolicy: string;
+  crossOriginOpenerPolicy: string;
+  crossOriginEmbedderPolicy: string;
+  contentSecurityPolicy: string;
+  originAgentCluster: string;
+  referrerPolicy: string;
+  strictTransportSecurity: string;
+  xContentTypeOptions: string;
+  xDNSPrefetchControl: string;
+  xDownloadOptions: string;
+  xFrameOptions: string;
+  xPermittedCrossDomainPolicies: string;
+  xXSSProtection: number;
+}
+
+export default defineNuxtModule<ModuleOptions>({
+  meta: {
+    name: 'nuxt-helm',
+    configKey: 'helm'
+  },
+  defaults: {
+    crossOriginResourcePolicy: "same-origin",
+    crossOriginOpenerPolicy: "same-origin",
+    crossOriginEmbedderPolicy: "require-corp",
+    contentSecurityPolicy: "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
+    originAgentCluster: '?1',
+    referrerPolicy: 'no-referrer',
+    strictTransportSecurity: 'max-age=15552000; includeSubDomains',
+    xContentTypeOptions: 'nosniff',
+    xDNSPrefetchControl: 'off',
+    xDownloadOptions: 'noopen',
+    xFrameOptions: 'SAMEORIGIN',
+    xPermittedCrossDomainPolicies: 'none',
+    xXSSProtection: 0
+  },
+  setup (options, nuxt) {
+    const runtimeDir = fileURLToPath(new URL('./runtime', import.meta.url))
+    nuxt.options.build.transpile.push(runtimeDir)
+    nuxt.options.runtimeConfig.helm = defu(nuxt.options.runtimeConfig.helm, {
+      ...options
+    })
+    addServerHandler({ route: '', handler: resolve(runtimeDir, 'server/middleware/helm') })
+  }
+})

src/runtime/server/middleware/helm.ts

@@ -0,0 +1,22 @@
+import { setHeaders, defineEventHandler } from 'h3'
+import { useRuntimeConfig } from '#imports'
+
+const helmConfig = useRuntimeConfig().helm
+
+export default defineEventHandler((event) => {
+  setHeaders(event, {
+    'Content-Security-Policy': helmConfig.contentSecurityPolicy,
+    'Cross-Origin-Resource-Policy': helmConfig.crossOriginResourcePolicy,
+    'Cross-Origin-Opener-Policy': helmConfig.crossOriginOpenerPolicy,
+    'Cross-Origin-Embedder-Policy': helmConfig.crossOriginEmbedderPolicy,
+    'Origin-Agent-Cluster': helmConfig.originAgentCluster,
+    'Referrer-Policy': helmConfig.referrerPolicy,
+    'Strict-Transport-Security': helmConfig.strictTransportSecurity,
+    'X-Content-Type-Options': helmConfig.xContentTypeOptions,
+    'X-DNS-Prefetch-Control': helmConfig.xDNSPrefetchControl,
+    'X-Download-Options': helmConfig.xDownloadOptions,
+    'X-Frame-Options': helmConfig.xFrameOptions,
+    'X-Permitted-Cross-Domain-Policies': helmConfig.xPermittedCrossDomainPolicies,
+    'X-XSS-Protection': helmConfig.xXSSProtection,
+  })
+})

tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "./playground/.nuxt/tsconfig.json"
+}