Invalid Syntax in Strict-Transport-Security Header Generation #647
Description
Environment
- Operating System: Linux
- Node Version: v24.0.2
- Nuxt Version: 4.0.1
- CLI Version: 3.26.4
- Nitro Version: 2.12.4
- Package Manager: [email protected]
- Builder: -
- User Config: -
- Runtime Modules: [email protected]
- Build Modules: -Nuxt Security Version
v2.3.0
Default setup used?
No, the bug happens only when I set custom values for the security option
Security options
defineNuxtConfig({
security: {
headers: {
strictTransportSecurity: {
maxAge: 31536000,
includeSubdomains: true,
preload: true,
},
},
},
})Reproduction
Reproduction steps are not needed, as the issue is obvious.
Description
The current implementation for generating the Strict-Transport-Security header in the utils/headers.js file contains invalid syntax according to the standard. The existing code is as follows:
return [
`max-age=${policies.maxAge};`,
policies.includeSubdomains && 'includeSubDomains;',
policies.preload && 'preload;'
].filter(Boolean).join(' ')To comply with the standard, the code should be modified to:
return [
`max-age=${policies.maxAge}`,
policies.includeSubdomains && "includeSubDomains",
policies.preload && "preload"
].filter(Boolean).join("; ");Additional context
For reference, please see the MDN documentation on Strict-Transport-Security for more details on the expected format.