What is the easiest way to add CSP in Nuxt?

npm i nuxt-security — it ships secure defaults for CSP, HSTS, X-Content-Type-Options, and frame-ancestors. Override individual directives only as needed.

Are useRuntimeConfig public values safe to ship?

Yes — anything under runtimeConfig.public is shipped to the client by design. Use that namespace ONLY for non-secret values. Server secrets stay under the top-level runtimeConfig.

Nuxt

Security scanning for Nuxt apps

Nuxt 3’s useRuntimeConfig pattern (with separate public and private keys) handles the env-leak problem well. Where Nuxt apps still slip: missing CSP/HSTS, /api/* CORS misconfig, and cookies set without proper flags.

Most common issues

01Missing CSP/HSTS on the deployed app (use nuxt-security or @nuxtjs/security module)
02/api/* server routes with wildcard CORS or no auth check
03Session cookies missing Secure/HttpOnly when set via setCookie

What SafeToShip checks for Nuxt

headers
js-secrets
cors
cookies
ssl
exposed-files

FAQ

Frequently asked questions

What is the easiest way to add CSP in Nuxt?: npm i nuxt-security — it ships secure defaults for CSP, HSTS, X-Content-Type-Options, and frame-ancestors. Override individual directives only as needed.
Are useRuntimeConfig public values safe to ship?: Yes — anything under runtimeConfig.public is shipped to the client by design. Use that namespace ONLY for non-secret values. Server secrets stay under the top-level runtimeConfig.

Fix guides

Run a Nuxt security scan

Free. 70+ checks. 60 seconds.

Security scanning for Nuxt apps

Most common issues

What SafeToShip checks for Nuxt

Frequently asked questions

Common Nuxt fixes

Missing CSP header

Missing HSTS header

CORS allows all origins

Cookie missing Secure flag

Hardcoded API key in JS

Run a Nuxt security scan