Reputation: 272
How to set Content Security Policy Headers in a Vue.js app
I'm trying to make my Vue app secure, by eliminating clickjacking.
I'm not sure how to set the headers of the Vue server, the methods the X Frame or Frame Ancestor directives in a meta tag like:
<meta http-equiv="Content-Security-Policy" content="X-Frame-Options: DENY:"
/>
However, the links below say that this is unsupported https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
I realise that for API requests, these headers should be set in the backend, however, this is to load the home page of the app (no api requests made).
How can I set these headers in my Vue.js server
Upvotes: 1
Views: 4561
Answers (1)
Reputation: 943089
The homepage of the app is still loaded over HTTP.
The browser makes an HTTP request to get an HTML document. That HTML document includes <script> elements which cause the browser to fetch some JS. The browser runs some JS and uses it to modify the HTML document in the Vue app.
You should configure the X-Frame-Options and Content-Security-Policy to be served in the HTTP response headers for the response that delivers that initial HTML document which bootstraps the application.
The not-so-good approach is to set a CSP using a <meta> tag (in that same HTML document). You can't set X-Frame-Options that way.
Upvotes: 1
Related Questions
- How to set HTTP header in vue-cli?
- How to add Security Headers in Vue App running on tomcat
- Content-Security-Policy blocks Vue.js
- Content Security Policy reject XSS attacks in v-html
- How to allow cors policy on fetch of vue.js to backend?
- Adding Access-Control-Allow-Origin headers to vuejs CLI webpack server
- How to add CSP header (Content-Security-Policy) to vuejs app?
- How to allow Request header field access-control-allow-origin on VueJS
- Content security policy blocks my rest calls in Vue.js
- Vue inline template and CSP