Skip to main content
XyraPanel includes comprehensive security features powered by nuxt-security. This page covers CORS, Content Security Policy (CSP), rate limiting, and security headers.

CORS (Cross-Origin Resource Sharing)

NUXT_SECURITY_CORS_ORIGIN
string
required
Comma-separated list of allowed origins for CORS requests.Examples:
# Single origin
NUXT_SECURITY_CORS_ORIGIN="https://panel.example.com"

# Multiple origins
NUXT_SECURITY_CORS_ORIGIN="https://panel.example.com,https://app.example.com"
In development, this defaults to * (allow all). Always set explicitly in production!
NUXT_SECURITY_CONNECT_SRC
string
Additional sources allowed for WebSocket and fetch connections in CSP connect-src directive.
NUXT_SECURITY_CONNECT_SRC="https://api.example.com,wss://ws.example.com"

Content Security Policy (CSP)

CSP helps prevent XSS attacks by controlling which resources can be loaded.
NUXT_SECURITY_CSP_REPORT_ONLY
boolean
default:"false"
Enable CSP in report-only mode for testing before enforcement.
  • true: CSP violations are logged but not blocked (recommended for initial setup)
  • false: CSP violations are blocked (use after testing)
# Start in report-only mode
NUXT_SECURITY_CSP_REPORT_ONLY="true"

# After testing, enforce CSP
NUXT_SECURITY_CSP_REPORT_ONLY="false"
NUXT_SECURITY_CSP_REPORT_URI
string
Endpoint URL for receiving CSP violation reports.
NUXT_SECURITY_CSP_REPORT_URI="https://your-csp-reporter.example.com/report"
Consider using services like report-uri.com or Sentry for CSP reporting.

Default CSP Policy

XyraPanel configures CSP with the following directives: 
{
  'default-src': ["'self'"],
  'connect-src': ["'self'", 'https:', 'wss:', 'ws:'],
  'img-src': ["'self'", 'data:', 'https:', 'blob:'],
  'style-src': ["'self'", 'https:', "'unsafe-inline'"],
  'font-src': ["'self'", 'https:', 'data:'],
  'script-src': ["'strict-dynamic'", "'nonce-{{nonce}}'", "'self'", 'https:'],
  'frame-src': ["'self'", 'https://challenges.cloudflare.com'],
  'object-src': ["'none'"],
  'base-uri': ["'self'"],
  'form-action': ["'self'"],
  'frame-ancestors': ["'none'"],
  'upgrade-insecure-requests': true
}
The CSP policy is automatically disabled in development mode for easier debugging.

Rate Limiting

Rate limiting protects against brute force attacks and API abuse.
NUXT_SECURITY_RATE_LIMIT_DRIVER
string
default:"lruCache"
Rate limit storage driver:
  • lruCache: In-memory LRU cache (default, suitable for single instance)
  • redis: Redis-backed storage (recommended for production with multiple instances)
NUXT_SECURITY_RATE_LIMIT_DRIVER="redis"
When using redis, ensure Redis is properly configured. See Redis Configuration.
NUXT_SECURITY_RATE_LIMIT_TOKENS
number
default:"150"
Number of requests allowed per interval for global rate limit.
# Allow 150 requests per interval
NUXT_SECURITY_RATE_LIMIT_TOKENS="150"
NUXT_SECURITY_RATE_LIMIT_INTERVAL_MS
number
default:"300000"
Time window in milliseconds for rate limiting (default: 5 minutes).
# 5 minutes (300000ms)
NUXT_SECURITY_RATE_LIMIT_INTERVAL_MS="300000"

# 1 minute (60000ms)
NUXT_SECURITY_RATE_LIMIT_INTERVAL_MS="60000"

Per-Route Rate Limits

XyraPanel applies stricter rate limits to sensitive endpoints:
EndpointTokensIntervalPurpose
/api/auth/sign-in/**510 minutesPrevent login brute force
/api/auth/forget-password515 minutesPrevent password reset abuse
/api/auth/reset-password815 minutesLimit password resets
/api/user/2fa/**85 minutesProtect 2FA operations
/api/account/password/**85 minutesLimit password changes
/api/admin/**3001 minuteAllow higher admin traffic
/api/servers/**3001 minuteServer management operations
Global default1505 minutesAll other endpoints
These limits are defined in nuxt.config.ts and can be customized if needed.

Security Headers

XyraPanel automatically sets secure HTTP headers in production:

Strict-Transport-Security (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Forces HTTPS connections for 1 year.

X-Frame-Options

X-Frame-Options: DENY
Prevents clickjacking by blocking iframe embedding.

X-Content-Type-Options

X-Content-Type-Options: nosniff
Prevents MIME-type sniffing.

Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin
Controls referrer information sent with requests.

Cross-Origin Policies

Cross-Origin-Embedder-Policy: unsafe-none
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Resource-Policy: cross-origin
Security headers are automatically disabled in development mode.

Request Size Limits

NUXT_MAX_REQUEST_SIZE_MB
number
default:"10"
Maximum size for request bodies in megabytes.
NUXT_MAX_REQUEST_SIZE_MB="10"
NUXT_MAX_UPLOAD_SIZE_MB
number
default:"20"
Maximum size for file uploads in megabytes.
NUXT_MAX_UPLOAD_SIZE_MB="20"

Configuration Examples

Development

.env
# Allow all origins in development
NUXT_SECURITY_CORS_ORIGIN="http://localhost:3000"

# Use in-memory rate limiting
NUXT_SECURITY_RATE_LIMIT_DRIVER="lruCache"
NUXT_SECURITY_RATE_LIMIT_TOKENS="150"
NUXT_SECURITY_RATE_LIMIT_INTERVAL_MS="300000"

# CSP in report-only mode
NUXT_SECURITY_CSP_REPORT_ONLY="true"

Production (Single Instance)

.env
# Restrict to your domain
NUXT_SECURITY_CORS_ORIGIN="https://panel.example.com"
NUXT_SECURITY_CONNECT_SRC="https://panel.example.com"

# Redis-backed rate limiting
NUXT_SECURITY_RATE_LIMIT_DRIVER="redis"
NUXT_SECURITY_RATE_LIMIT_TOKENS="150"
NUXT_SECURITY_RATE_LIMIT_INTERVAL_MS="300000"

# Enforce CSP
NUXT_SECURITY_CSP_REPORT_ONLY="false"

# Request limits
NUXT_MAX_REQUEST_SIZE_MB="10"
NUXT_MAX_UPLOAD_SIZE_MB="20"

Production (Multiple Origins)

.env
# Multiple allowed origins
NUXT_SECURITY_CORS_ORIGIN="https://panel.example.com,https://app.example.com"
NUXT_SECURITY_CONNECT_SRC="https://panel.example.com,https://api.example.com,wss://ws.example.com"

# Redis for shared rate limits
NUXT_SECURITY_RATE_LIMIT_DRIVER="redis"
NUXT_SECURITY_RATE_LIMIT_TOKENS="200"
NUXT_SECURITY_RATE_LIMIT_INTERVAL_MS="300000"

# CSP with reporting
NUXT_SECURITY_CSP_REPORT_ONLY="false"
NUXT_SECURITY_CSP_REPORT_URI="https://report-uri.example.com/csp"

Testing CSP

1

Enable report-only mode

Set NUXT_SECURITY_CSP_REPORT_ONLY="true" in your .env file.
2

Configure reporting (optional)

Set NUXT_SECURITY_CSP_REPORT_URI to receive violation reports.
3

Test your application

Use your panel normally and check browser console for CSP violations.
4

Review violations

Fix any legitimate violations by adjusting your CSP or code.
5

Enforce CSP

Set NUXT_SECURITY_CSP_REPORT_ONLY="false" to enforce the policy.

Monitoring Rate Limits

Rate limit status is included in response headers: 
X-RateLimit-Limit: 150
X-RateLimit-Remaining: 149
X-RateLimit-Reset: 1234567890
Clients can use these headers to implement backoff strategies.

Best Practices

Use NUXT_SECURITY_RATE_LIMIT_DRIVER="redis" in production environments, especially with multiple instances. LRU cache is only suitable for single-instance development.
Enable NUXT_SECURITY_CSP_REPORT_ONLY="true" initially to identify issues before enforcing the policy.
Never use * for NUXT_SECURITY_CORS_ORIGIN in production. Always specify exact origins.
Watch for 429 Too Many Requests responses in your logs to identify potential attacks or misconfigured clients.
The default rate limits work for most deployments, but high-traffic instances may need higher limits.

Next Steps

Redis Configuration

Set up Redis for rate limiting

Environment Variables

View all configuration options

Build docs developers (and LLMs) love

Get started for freeTalk to us