Strict-Transport-Security
Enabled Inform browsers that the site should only be accessed using HTTPS.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
// Global
security: {
headers: {
strictTransportSecurity: <OPTIONS>,
},
},
// Per route
routeRules: {
'/custom-route': {
security: {
headers: {
strictTransportSecurity: <OPTIONS>,
},
},
}
}
})
You can also disable this header by strictTransportSecurity: false
.
Default value
By default in owaspDefaults: 'compatibility'
mode, Nuxt Security will set the following value for this header.
Strict-Transport-Security: max-age=15552000; includeSubDomains;
Available values
The strictTransportSecurity
header can be configured with following values.
strictTransportSecurity: {
maxAge: number;
includeSubdomains?: boolean;
preload?: boolean;
} | false;
maxAge
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubdomains
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
preload
See Preloading Strict Transport Security for details. When using preload, the max-age directive must be at least 3153600
(1 year), and the includeSubDomains directive must be present. Not part of the specification.
Preloading Strict Transport Security
here.