Skip to content

chore(nitro): add Nitro config with security headers and CI build #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kegren merged 1 commit into from
Jan 1, 2026
Merged

chore(nitro): add Nitro config with security headers and CI build #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,9 @@ jobs:
# 3. Tests
# Only runs if the code is clean and type-safe.
- name: Test
run: bun test
run: bun test

# 4. Build (Final verification)
# This ensures your project can actually be deployed.
- name: Build
run: bun run build
51 changes: 51 additions & 0 deletions nitro.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
import { defineNitroConfig } from "nitro/config";

export default defineNitroConfig({
// Optimize for Bun since you are using it
Copy link

@greptile-apps greptile-apps bot Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: The Bun preset is already configured in vite.config.ts:16 via the Nitro Vite plugin. Consider removing this duplicate configuration to avoid conflicts.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: nitro.config.ts
Line: 4:4

Comment:
**style:** The Bun preset is already configured in `vite.config.ts:16` via the Nitro Vite plugin. Consider removing this duplicate configuration to avoid conflicts.

How can I resolve this? If you propose a fix, please make it concise.

preset: "bun",

// Enable compression for static assets (gzip/brotli)
compressPublicAssets: true,

routeRules: {
"/**": {
headers: {
// 1. Security: Block MIME type sniffing
"X-Content-Type-Options": "nosniff",

// 2. Security: Prevent clickjacking (embedding in iframes)
"X-Frame-Options": "DENY",

// 3. Privacy: Control how much referrer info is sent
"Referrer-Policy": "strict-origin-when-cross-origin",

// 4. Security: Force HTTPS (HSTS) - Critical for production
// max-age=63072000 is 2 years. includeSubDomains covers subdomains.
"Strict-Transport-Security":
"max-age=63072000; includeSubDomains; preload",

// 5. Hardware Access: Restrict access to sensitive device features
"Permissions-Policy":
"camera=(), microphone=(), geolocation=(), payment=(), usb=()",

// 6. Content Security Policy (CSP)
// Allow scripts/images from 'self' and Cloudflare (for Turnstile).
// object-src 'none' prevents Flash/Java plugins (best practice).
// upgrade-insecure-requests forces HTTP links to load as HTTPS.
"Content-Security-Policy": [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com",
"connect-src 'self' https://challenges.cloudflare.com",
"frame-src 'self' https://challenges.cloudflare.com",
"style-src 'self' 'unsafe-inline'",
Comment on lines +36 to +40
Copy link

@greptile-apps greptile-apps bot Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: 'unsafe-inline' for script-src and style-src weakens CSP by allowing inline scripts/styles. Consider using nonces or hashes instead for better security.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: nitro.config.ts
Line: 36:40

Comment:
**style:** `'unsafe-inline'` for `script-src` and `style-src` weakens CSP by allowing inline scripts/styles. Consider using nonces or hashes instead for better security.

How can I resolve this? If you propose a fix, please make it concise.

"img-src 'self' data: https://challenges.cloudflare.com",
"font-src 'self' data:",
"object-src 'none'",
"base-uri 'self'",
"form-action 'self'",
"upgrade-insecure-requests",
].join("; "),
},
},
},
});