docs: rewrite security guide with defaults-first framing

harlan-zw · harlan-zw · commit 0972cd786b32 · 2026-03-27T02:10:03.000+11:00
Remove GHSA references, SSRF details, social media crawler section,
and relative path section. Lead with secure defaults messaging and
only detail configurable options.
diff --git a/docs/content/3.guides/13.security.md b/docs/content/3.guides/13.security.md
@@ -1,13 +1,11 @@
 ---
 title: Security
-description: Protect your OG image endpoint from abuse and server-side request forgery.
+description: Learn about the security defaults and how to further harden your OG image endpoint.
 ---
 
-Nuxt OG Image generates images on the server. Without proper limits, the `/_og` endpoint can be exploited to exhaust memory, trigger long renders, or fetch internal resources.
+Nuxt OG Image ships with secure defaults by default. Image dimensions are clamped, renders are time limited, internal network requests are blocked, and user provided props are sanitized. No configuration is needed for these protections.
 
-## Quick Start
-
-If you need runtime OG images and want to lock things down quickly, add this to your config:
+If you want to lock things down further, the `security` config key gives you additional controls.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
@@ -20,11 +18,9 @@ export default defineNuxtConfig({
 })
 ```
 
-This ensures only requests to your configured hostname are served and rejects oversized query strings. Read on for full details on each option.
-
 ## Prerender Your Images
 
-The single most effective security measure is to **prerender your OG images at build time** using [Zero Runtime mode](/docs/og-image/guides/zero-runtime). Prerendered images are served as static files, bypassing all runtime rendering code.
+The most effective security measure is to **prerender your OG images at build time** using [Zero Runtime mode](/docs/og-image/guides/zero-runtime). Prerendered images are served as static files with no runtime rendering code in your production build.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
@@ -38,18 +34,19 @@ When zero runtime is enabled:
 - No server-side rendering code is included in your production build
 - Images are generated once at build time and served as static assets
 - The `/_og` endpoint is not available at runtime
-- There is no attack surface for DOS, SSRF, or origin abuse
 
 If your OG images don't need to change dynamically after deployment, this is the recommended approach.
 
 For sites that need a mix of static and dynamic images, you can prerender specific routes while keeping runtime generation available for others. See the [Zero Runtime guide](/docs/og-image/guides/zero-runtime) for configuration details.
 
 ## Dimension and Render Limits
 
-Every request has its `width` and `height` clamped to `maxDimension` (default `2048` pixels) after all option sources merge. The Takumi renderer's `devicePixelRatio` is capped to `maxDpr` (default `2`).
+Every request has its `width` and `height` clamped to `maxDimension` (default `2048` pixels). The Takumi renderer's `devicePixelRatio` is capped to `maxDpr` (default `2`).
 
 If a render exceeds `renderTimeout` (default `10000ms`), it is aborted and the server returns a `408` status.
 
+These are all enabled by default. You only need to configure them if you want different limits.
+
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
   ogImage: {
@@ -62,8 +59,6 @@ export default defineNuxtConfig({
 })
 ```
 
-These defaults protect against the denial of service vector described in [GHSA-c7xp-q6q8-hg76](https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76), where requests like `/_og/d/og.png?width=20000&height=20000` could exhaust server memory.
-
 ## Query String Size Limit
 
 OG image options can be passed via query parameters. By default there is no size limit on the query string, but you can set `maxQueryParamSize` to reject requests with oversized query strings.
@@ -82,20 +77,6 @@ Requests exceeding this limit receive a `400` response.
 
 If you find yourself passing large amounts of data through query parameters (titles, descriptions, full text), consider loading that data inside your OG image component instead. See the [Performance guide](/docs/og-image/guides/performance#reduce-url-size) for the recommended pattern.
 
-## SSRF Protection
-
-OG image templates can reference external images via `<img src>`{lang="html"} or CSS `background-image`. Outside of dev mode, the module blocks fetches to private and loopback addresses to prevent server-side request forgery (SSRF).
-
-Blocked targets include:
-- Loopback (`127.0.0.0/8`, `::1`, `localhost`)
-- Private networks (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`)
-- Link-local (`169.254.0.0/16`, `fe80::`)
-- IPv6 unique local (`fc00::`, `fd00::`)
-- Alternative IP encodings (hex `0x7f000001`, decimal `2130706433`, IPv6-mapped `::ffff:127.0.0.1`)
-- Non-HTTP protocols (`file://`, `ftp://`, etc.)
-
-This runs automatically in production. No configuration is required.
-
 ## Restrict Runtime Images to Origin
 
 When runtime image generation is enabled, anyone who knows the `/_og` endpoint pattern can request an image directly. The `restrictRuntimeImagesToOrigin` option limits runtime generation to requests whose `Host` header matches your configured site URL.
@@ -130,23 +111,15 @@ export default defineNuxtConfig({
 })
 ```
 
-### Social Media Crawlers
-
-Social media crawlers (Twitter/X, Facebook, LinkedIn, Discord) always send the `Host` header when fetching your `og:image` URL, so this check works transparently with them. No special configuration is needed.
-
-This option is still **disabled by default** to avoid surprises for sites behind non-standard proxy setups. If your reverse proxy forwards the correct `Host` or `X-Forwarded-Host` header, you can safely enable it.
-
-### Relative OG Image Paths
-
-Using a relative path in your `og:image` meta tag (e.g. `/_og/d/og.png` instead of `https://example.com/_og/d/og.png`) does not affect this check. Social media crawlers resolve relative paths against the page URL before making the request, and the resulting HTTP request will include the correct `Host` header for your domain.
+This option is **disabled by default** to avoid surprises for sites behind non-standard proxy setups. If your reverse proxy forwards the correct `Host` or `X-Forwarded-Host` header, you can safely enable it.
 
 ::note
 Prerendering and dev mode bypass the host check entirely.
 ::
 
 ## Debug Mode Warning
 
-Enabling `ogImage.debug` in production exposes the `/_og/debug.json` endpoint and disables some security restrictions. The module will log a warning at build time if debug is enabled outside of dev mode. Make sure to disable it before deploying.
+Enabling `ogImage.debug` in production exposes the `/_og/debug.json` endpoint. The module will log a warning at build time if debug is enabled outside of dev mode. Make sure to disable it before deploying.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
