cc0cb01d28
This commit implements several security enhancements based on the findings of a new security audit report, which has also been added to the documentation. - **Security Headers:** Adds a strict Content-Security-Policy (CSP) and other security headers (X-Content-Type-Options, Referrer-Policy) via Nuxt route rules. - **Production Hardening:** Disables Nuxt DevTools in production environments to reduce the attack surface. - **Mixed Content:** All image assets are now loaded over HTTPS to resolve mixed content issues. - **Tabnabbing:** Secures `window.open` calls by adding `noopener,noreferrer`. - **Configuration:** Updates `.gitignore` to ignore all `.env.*` files. - **Docs:** Adds the full security audit report for reference. - **Build:** Corrects a case-sensitive import path to ensure cross-platform build compatibility.
94 lines
2.6 KiB
TypeScript
94 lines
2.6 KiB
TypeScript
const DEFAULT_SEO = {
|
|
title: "Tootaio Studio",
|
|
description:
|
|
"A creative technology studio offering custom development services, specializing in full-stack solutions for websites, software, games, and interactive experiences.",
|
|
keywords:
|
|
"Tootaio, Tootaio Studio, custom development, full-stack solutions, web development, software development, game development, interactive experiences",
|
|
url: "https://tootaio.com",
|
|
image: "https://tootaio.com/og-image-1.png",
|
|
};
|
|
|
|
// https://nuxt.com/docs/api/configuration/nuxt-config
|
|
export default defineNuxtConfig({
|
|
compatibilityDate: "2025-07-15",
|
|
devtools: { enabled: process.env.NODE_ENV !== "production" },
|
|
modules: [
|
|
"@nuxt/content",
|
|
"@nuxt/ui",
|
|
"@nuxt/eslint",
|
|
"@nuxtjs/i18n",
|
|
"@nuxtjs/seo",
|
|
],
|
|
runtimeConfig: {
|
|
public: {
|
|
whatsappNumber: "+601234567890",
|
|
},
|
|
},
|
|
routeRules: {
|
|
"/**": {
|
|
headers: {
|
|
"Content-Security-Policy": [
|
|
"default-src 'self'",
|
|
"script-src 'self'",
|
|
"style-src 'self' 'unsafe-inline'",
|
|
"img-src 'self' https://img.tootaio.com data:",
|
|
"connect-src 'self'",
|
|
"frame-ancestors 'self'",
|
|
"upgrade-insecure-requests",
|
|
].join("; "),
|
|
"X-Content-Type-Options": "nosniff",
|
|
"Referrer-Policy": "strict-origin-when-cross-origin",
|
|
},
|
|
},
|
|
"/_nuxt/**": {
|
|
headers: { "cache-control": "public, max-age=31536000, immutable" },
|
|
},
|
|
},
|
|
css: ["@/assets/css/main.css"],
|
|
app: {
|
|
head: {
|
|
titleTemplate: "%s - Tootaio Studio",
|
|
meta: [
|
|
{ name: "viewport", content: "width=device-width, initial-scale=1" },
|
|
{ charset: "utf-8" },
|
|
],
|
|
},
|
|
},
|
|
i18n: {
|
|
defaultLocale: "en",
|
|
locales: [
|
|
{
|
|
code: "en",
|
|
iso: "en-US",
|
|
name: "English",
|
|
files: ["en-US/common.json", "en-US/index.json"],
|
|
},
|
|
{
|
|
code: "zh-CN",
|
|
iso: "zh-CN",
|
|
name: "简体中文",
|
|
files: ["zh-CN/common.json", "zh-CN/index.json"],
|
|
},
|
|
],
|
|
strategy: "no_prefix",
|
|
},
|
|
seo: {
|
|
meta: {
|
|
title: DEFAULT_SEO.title,
|
|
description: DEFAULT_SEO.description,
|
|
keywords: DEFAULT_SEO.keywords,
|
|
ogTitle: DEFAULT_SEO.title,
|
|
ogDescription: DEFAULT_SEO.description,
|
|
ogImage: DEFAULT_SEO.image,
|
|
ogUrl: DEFAULT_SEO.url,
|
|
twitterCard: "summary_large_image",
|
|
twitterTitle: DEFAULT_SEO.title,
|
|
twitterDescription: DEFAULT_SEO.description,
|
|
twitterImage: DEFAULT_SEO.image,
|
|
},
|
|
},
|
|
site: {
|
|
url: "https://tootaio.com",
|
|
},
|
|
});
|