Support for Mixed SSG and SSR Mode with Dynamic Nonce Handling in nuxt-security

[alexbidenko]

We have a scenario in Nuxt where certain pages are statically generated (SSG), while the rest of the site runs in SSR mode or another runtime rendering mode. Currently, the nuxt-security module computes SHA hashes for scripts and styles on these static pages and injects them via a meta tag in the Content Security Policy.

The problem is that in a mixed environment like this, these hashes might not account for all scripts and styles that would be present if the page were purely SSR. Essentially, since we still have a running Node process serving SSR content, it would be more flexible to dynamically inject a correct nonce for scripts and styles at runtime, as if the page were fully SSR.

In other words, instead of relying on static meta tags for CSP hashes, we’d want nuxt-security to use HTTP headers and dynamically provide the nonce. That way, even for partially pre-generated static pages, the nonce is always correct and consistent.

The question is whether this can currently be configured, and if not, is it possible to add this feature to the module?

[Baroshem]

Hey Alex

I dont think this is possible now. The module detects if you are in SSR/SSG and based on that it enables certain plugins to inject meta http-equiv csp or response headers accordingly.

In your case, I believe you have a hybrid app (that under the hood is server app with fully cached pages to have SSG there) so probably you would need a plugin that would inject the meta for some static pages even though you are in SSR.

There might be a way to make it work now (I just dont have any from the top of my head I am affraid :( )

If you have an idea of how it would work and would like to create a PR with a Proof of Concept, I will be happy to review it and give you some feedback :)