access-control-allow-origin settings are too lose by default #118
Labels
bug
Something isn't working
Comments
|
Hey Lukasz, The website you linked is the documentation website of the module and does not use the nuxt-security module. What you see is the default behavior of Nuxt and H3 http engine that sets the Allow Origins header by default. |
|
The documentation website just shows how to use the module but does not use it as having these Security middlewares are not necessary for static Markdown website ;) |
|
I see, makes sense. I made an assumption that it's not only docs but also a demo. In this case please consider this task as a feature request instead of a bug, since this default behavior is still insecure :( |
Baroshem
added a commit
that referenced
this issue
Mar 6, 2023
|
This will be released with upcoming 0.12.0 version |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Version
nuxt-security: 0.11.0
nuxt: 3.2.3
Reproduction Link
nuxt-security.vercel.app
Steps to reproduce
What is Expected?
The module gives me full security out of the box.
a) Don't set this header at all leaving the default browser behavior
or
b) Require the user to set this value or at least throw warnings when it's not set
What is actually happening?
The text was updated successfully, but these errors were encountered: