@nlo/nuxt-common-base-application v1.4.0

NLO Nuxt common base application

This base nuxt application contains shared setup for creating and maintaining NLO lottery website applications in Nuxt.

This should only be included directly by lottery websites, so we can update @nlo/nuxt-common independently of this package.

Features:

• Dictate nuxt version for verticals
• Add security headers

Include in vertical

To include this nuxt layer into your own application, add it to the layers array in nuxt.config.ts, like so:

export default defineNuxtConfig({
	extends: ['@nlo/nuxt-common-base-application'],
});

Npm commands:

• npm run lint to run prettier and typescript checks
• npm run test to run unit tests
• npm run dev to run the nuxt application

Environment variables

• NUXT_REDIS_OPTIONS_BASE The prefix of the key of the cache entries
• NUXT_REDIS_OPTIONS_URL The url to the redis instance
• NUXT_REDIS_OPTIONS_TTL The time to live of the cache entries
• NUXT_ENABLE_REDIS_CACHE Boolean indicating if redis should be enabled for page caching
• NUXT_LRU_OPTIONS_MAX Maximum number of LRU cache entries
• NUXT_ENABLE_LRU_CACHE Boolean indicating if LRU cache should be enabled for page caching

Security headers

For applying the best practices around security headers, we use https://nuxt-security.vercel.app. Using a library forces us to work in a security-by-default way of working. Information about required security headers can be found here: https://loterij.atlassian.net/wiki/spaces/NLDT/pages/3571253310/Required+http+headers+security

These security headers are applied by default, but need to be adjusted per vertical. Primarily specifying which resource-type is allowed from what domain is required.

Example configuration to allow every type of resource from the Portal domain:

nuxt.config.ts

security: {
	headers: {
		contentSecurityPolicy: {
			'default-src': ['https://www.nederlandseloterij.nl'],
		},
	},
},

If you want to allow all resources from all domains, use the following example:

nuxt.config.ts

security: {
	headers: {
		contentSecurityPolicy: {
			'default-src': ['*'],
		},
	},
},

Note that these configurations are built-time only. If you want to have run-time configuration (such as limit which domains are allowed), use the NUXT_SECURITY_HEADERS_CONTENT_SECURITY_POLICY_DEFAULT_SRC environment variable with the specified format:

[\"https://my-allowed-website.nl\",\"\'unsafe-inline\'\",\"\'unsafe-eval\'\",\"wss:\"]

This format is basically a string-array in escaped json format. but the single-quotes around unsafe-inline and unsafe-eval are required.

Note: For now we haven't added per-resource exclusion from nuxt-common since that would introduce a lot of configuration in every website.

For more details, see the website of the library.