Skip to content

fix: skip security headers when devtools is active #2331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RYGRIT wants to merge 1 commit into
base: main
Choose a base branch
from
+7 −0
Open

fix: skip security headers when devtools is active #2331

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions modules/security-headers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ import { TRUSTED_IMAGE_DOMAINS } from '#server/utils/image-proxy'
export default defineNuxtModule({
meta: { name: 'security-headers' },
setup(_, nuxt) {
const isDevtoolsRuntime =
nuxt.options.dev && nuxt.options.devtools !== false && !process.env.TEST
Comment on lines +23 to +24
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

In Nuxt module setup, what is the exact type/shape of nuxt.options.devtools (boolean vs object), and what is the recommended way to check whether DevTools is enabled when object-form config is used?

💡 Result:

In a Nuxt module's setup function, nuxt.options.devtools is an object (not a boolean). It has the shape of the DevTools module options, where the primary property to check for enabling DevTools is enabled: boolean (defaults to true). The recommended way to check whether DevTools is enabled (when object-form config is used) is: !!nuxt.options.devtools?.enabled. This handles cases where devtools might be undefined (if not explicitly set) or an object without enabled explicitly defined (falls back to default true). Examples from official docs and module source: - devtools: { enabled: true } or devtools: { enabled: false } - Full options: devtools: { enabled: true, vscode: {}, ... } Nuxt DevTools docs explicitly state "To configure Nuxt DevTools, you can pass the devtools options" and show object form with enabled. No sources show devtools as a top-level boolean in current versions (boolean shorthand was discussed in old issues but deprecated).

Citations:

Line 23–24: DevTools enabled check is incomplete; does not verify the enabled property.

The current check nuxt.options.devtools !== false will be true even when devtools.enabled is explicitly false, because nuxt.options.devtools is an object. This causes security headers to be incorrectly skipped when DevTools is disabled via configuration.

Suggested fix 
-    const isDevtoolsRuntime =
-      nuxt.options.dev && nuxt.options.devtools !== false && !process.env.TEST
+    const isDevtoolsRuntime =
+      nuxt.options.dev && !!nuxt.options.devtools?.enabled && !process.env.TEST


// Nuxt DevTools relies on injected client assets and an iframe-based UI in dev.
// Keep strict CSP/frame restrictions for non-dev environments.
if (isDevtoolsRuntime) return

// These assets are embedded directly on blog pages and should not affect image-proxy trust.
const cspOnlyImgOrigins = ['https://api.star-history.com', 'https://cdn.bsky.app']
const imgSrc = [
Expand Down
Loading