Skip to content

Commit c47b5a6

Browse files
jackdomleo7jackdomleo7
committed
feat(security): Implement security headers for GitHub Pages
1 parent 3242342 commit c47b5a6

1 file changed

Lines changed: 26 additions & 0 deletions

File tree

nuxt.config.ts

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,39 @@
11
import { defineNuxtConfig } from 'nuxt/config'
22
import variables from './app/utilities/variables'
33

4+
if (!process.env.NUXT_BASE_URL) {
5+
throw new Error('NUXT_BASE_URL environment variable is required. Set it before running the build.')
6+
}
7+
48
const SEO = {
59
TITLE: `Jack Domleo - ${variables.OCCUPATION}`,
610
DESCRIPTION: `Personal website of Jack Domleo, a ${variables.OCCUPATION.toLowerCase()} specialising in JavaScript-based technologies and web development.`
711
}
812

913
export default defineNuxtConfig({
1014
ssr: true,
15+
app: {
16+
head: {
17+
meta: [
18+
{
19+
// Content-Security-Policy restricts which resources the browser is allowed to load. GitHub Pages does not support custom response headers, so this must be set as a <meta http-equiv> tag instead. Note: frame-ancestors is ignored by browsers when set via a meta tag (it only works as a response header), but all other directives are honoured. Key directives:
20+
// - default-src 'self' → block all resources not explicitly permitted
21+
// - script-src 'unsafe-inline' → required by Nuxt's inline hydration scripts
22+
// - style-src 'unsafe-inline' → required for Vue's scoped style injection
23+
// - frame-ancestors 'none' → prevents this page being embedded in an iframe (clickjacking)
24+
// - base-uri 'self' → prevents <base> tag hijacking
25+
// - form-action 'self' → prevents forms from submitting to external URLs
26+
'http-equiv': 'Content-Security-Policy',
27+
content: "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
28+
},
29+
{
30+
// Referrer-Policy controls how much referrer information is sent with outbound requests. strict-origin-when-cross-origin: sends the full URL for same-origin requests, but only the origin (no path/query) for cross-origin requests, and nothing over HTTP. This prevents leaking page URLs to third-party services via the Referer header.
31+
name: 'referrer',
32+
content: 'strict-origin-when-cross-origin'
33+
}
34+
]
35+
}
36+
},
1137
typescript: {
1238
typeCheck: process.env.NODE_ENV === 'dev',
1339
strict: true

0 commit comments

Comments
 (0)