A comprehensive guide to securing your Nuxt application. Covering 10 vulnerability categories with framework-specific code examples and best practices.
Use `useRuntimeConfig()` to manage environment variables. Only values in the `public` key are exposed to the client.
Validate all server API route inputs using Zod or a validation library. Nuxt server routes are public endpoints.
Use the `nuxt-security` module for automatic security headers, rate limiting, and request size limits.
Implement authentication middleware using Nuxt's `defineNuxtRouteMiddleware` for route-level protection.
Be cautious with `useFetch()` and `$fetch()` on the server side -- validate URLs to prevent SSRF attacks.
Use `setCookie()` with `httpOnly`, `secure`, and `sameSite` options for session management.
Configure CORS carefully in server routes. Nuxt does not apply CORS restrictions by default on API routes.
Avoid rendering unsanitized HTML in Nuxt pages. Use `v-text` instead of `v-html` wherever possible.
Cross-Site Scripting (XSS)
A03:2021 - Injection · CWE-79
Cross-Site Request Forgery (CSRF)
A01:2021 - Broken Access Control · CWE-352
Insecure Direct Object References (IDOR)
A01:2021 - Broken Access Control · CWE-639
Sensitive Data Exposure
A02:2021 - Cryptographic Failures · CWE-200
Server-Side Request Forgery (SSRF)
A10:2021 - Server-Side Request Forgery · CWE-918
Automatically test your Nuxt application for all 10 vulnerability categories. Get actionable results in minutes.
Start Free Scan