Files
wehub-resource-sync d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 11:55:55 +08:00

2.5 KiB

paths
paths
**/nuxt.config.*
**/app.config.*
**/server/**/*.ts

Nuxt Security

This file extends common/security.md with Nuxt specific content.

runtimeConfig public vs private

  • Root runtimeConfig keys are server-only. runtimeConfig.public serializes into EVERY page payload (client-visible).
  • Secrets go at root only. Never put secrets in app.config.ts or runtimeConfig.public, both ship to the client bundle.
  • Official warning: "Be careful not to expose runtime config keys to the client-side by either rendering them or passing them to useState."

Server-route input validation

  • Use h3 validating readers. Do NOT trust raw readBody / getQuery / getRouterParam.
    • readValidatedBody(event, schema) validates the body.
    • getValidatedQuery(event, schema) validates the query.
    • getValidatedRouterParams(event, schema) validates route params.
  • All accept a validation function or a Zod schema and throw on failure.

SSR payload leakage

  • Anything in useState, useFetch / useAsyncData results, or runtimeConfig.public is serialized into the client payload. Never write a secret into those.
  • Use useServerSeoMeta for server-only meta with no client cost.
  • Nuxt does NOT auto-attach the incoming user's cookies to outbound server-side $fetch.
  • Forward explicitly with useRequestFetch() (cleanest, pre-bound to request headers) or useRequestHeaders(['cookie']).
  • Relay a backend Set-Cookie to the browser via $fetch.raw + appendResponseHeader(event, 'set-cookie', ...).
  • socket.io is client-only (.client.ts plugin), never SSR.

SSRF on server $fetch

  • Server routes run with full network egress. Never pass user-controlled input directly into a server-side $fetch URL or host.
  • Validate the param first (h3 utilities above), allowlist the target, pin to runtimeConfig.public.apiBase, reject user-supplied absolute URLs.
  • Auto-trigger /security-review only for routes that make external network requests (server $fetch), handle auth tokens or credentials, or perform sensitive mutations or authorization checks. Examples: SSRF-prone proxy endpoints, token exchange or password reset, admin actions. Skip benign read-only routes that only accept validated query params.

Reference