Strict-Transport-Security

Enabled Inform browsers that the site should only be accessed using HTTPS.


The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      strictTransportSecurity: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
     security: {
        headers: {
          strictTransportSecurity: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by strictTransportSecurity: false.

Default value

By default in owaspDefaults: 'compatibility' mode, Nuxt Security will set the following value for this header.

Strict-Transport-Security: max-age=15552000; includeSubDomains;

Available values

The strictTransportSecurity header can be configured with following values.

strictTransportSecurity: {
  maxAge: number;
  includeSubdomains?: boolean;
  preload?: boolean;
} | false;

maxAge

The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

includeSubdomains

If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

preload

See Preloading Strict Transport Security for details. When using preload, the max-age directive must be at least 3153600 (1 year), and the includeSubDomains directive must be present. Not part of the specification.

ℹ Read more about Preloading Strict Transport Securityhere.