d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
2.5 KiB
2.5 KiB
paths
| paths | |||
|---|---|---|---|
|
Nuxt Security
This file extends common/security.md with Nuxt specific content.
runtimeConfig public vs private
- Root
runtimeConfigkeys are server-only.runtimeConfig.publicserializes into EVERY page payload (client-visible). - Secrets go at root only. Never put secrets in
app.config.tsorruntimeConfig.public, both ship to the client bundle. - Official warning: "Be careful not to expose runtime config keys to the client-side by either rendering them or passing them to
useState."
Server-route input validation
- Use h3 validating readers. Do NOT trust raw
readBody/getQuery/getRouterParam.readValidatedBody(event, schema)validates the body.getValidatedQuery(event, schema)validates the query.getValidatedRouterParams(event, schema)validates route params.
- All accept a validation function or a Zod schema and throw on failure.
SSR payload leakage
- Anything in
useState,useFetch/useAsyncDataresults, orruntimeConfig.publicis serialized into the client payload. Never write a secret into those. - Use
useServerSeoMetafor server-only meta with no client cost.
Cookie and auth passthrough on SSR
- Nuxt does NOT auto-attach the incoming user's cookies to outbound server-side
$fetch. - Forward explicitly with
useRequestFetch()(cleanest, pre-bound to request headers) oruseRequestHeaders(['cookie']). - Relay a backend
Set-Cookieto the browser via$fetch.raw+appendResponseHeader(event, 'set-cookie', ...). - socket.io is client-only (
.client.tsplugin), never SSR.
SSRF on server $fetch
- Server routes run with full network egress. Never pass user-controlled input directly into a server-side
$fetchURL or host. - Validate the param first (h3 utilities above), allowlist the target, pin to
runtimeConfig.public.apiBase, reject user-supplied absolute URLs. - Auto-trigger
/security-reviewonly for routes that make external network requests (server$fetch), handle auth tokens or credentials, or perform sensitive mutations or authorization checks. Examples: SSRF-prone proxy endpoints, token exchange or password reset, admin actions. Skip benign read-only routes that only accept validated query params.
Reference
- ECC skills:
security-review,nuxt4-patterns. - Nuxt runtime config
- h3 request utils