fix(security): strict mode, deprecate html (#545)

harlan-zw · web-flow · commit 25c057b1bec8 · 2026-03-29T01:14:36.000+11:00
diff --git a/docs/content/3.guides/13.security.md b/docs/content/3.guides/13.security.md
@@ -13,12 +13,30 @@ For full protection, we recommend combining URL signing with a **web application
 export default defineNuxtConfig({
   ogImage: {
     security: {
+      strict: true,
       secret: process.env.OG_IMAGE_SECRET,
     }
   }
 })
 ```
 
+## Strict Mode
+
+Enabling `strict` mode applies all recommended security defaults in a single flag:
+
+- **URL signing required**: `secret` must be set (rejects unsigned runtime requests with `403`)
+- **Inline HTML disabled**: The deprecated `html` option is stripped entirely, preventing SSRF via inline HTML injection
+- **Query string size limit**: `maxQueryParamSize` defaults to `2048` characters (instead of no limit)
+- **Origin restriction**: `restrictRuntimeImagesToOrigin` defaults to `true`, locking runtime generation to your site config URL host
+
+Any of these can still be overridden explicitly. Strict mode only changes the defaults.
+
+The build will fail if `strict` is enabled without a `secret`. Generate one with:
+
+```bash
+npx nuxt-og-image generate-secret
+```
+
 ## URL Signing
 
 When a signing secret is configured, every OG image URL includes a cryptographic signature in the path. The server verifies this signature before rendering, rejecting any URL that has been tampered with or crafted manually.
diff --git a/docs/content/4.api/0.define-og-image.md b/docs/content/4.api/0.define-og-image.md
@@ -70,6 +70,10 @@ The emoji set to use when generating the image. Set to `false` to disable emoji
 
 ### `html`
 
+::deprecated
+The `html` option is deprecated and will be removed in the next major version due to SSRF risk. Use a Vue component instead. This option is disabled when `security.strict` is enabled.
+::
+
 - Type: `string`{lang="ts"}
 - Default: `undefined`{lang="ts"}
 
@@ -186,6 +190,10 @@ defineOgImage('MyCustomComponent.takumi', { title: 'Hello' })
 
 ### Inline HTML Templates
 
+::deprecated
+The inline HTML templates feature is deprecated and will be removed in the next major version. Use a Vue component instead.
+::
+
 If you have a simple template and prefer to inline it, you can do so using the `html` option:
 
 ```ts
diff --git a/docs/content/4.api/3.config.md b/docs/content/4.api/3.config.md
@@ -186,17 +186,14 @@ Security limits for image generation. See the [Security Guide](/docs/og-image/gu
 - **`renderTimeout`**: Milliseconds before the render is aborted with a `408` response. Default `15000`.
 - **`maxQueryParamSize`**: Maximum query string length (in characters) for runtime requests. Returns `400` when exceeded. Default `null` (no limit).
 - **`restrictRuntimeImagesToOrigin`**: Restrict runtime image generation to requests whose `Host` header matches allowed hosts. Default `false`. See the [Security Guide](/docs/og-image/guides/security#restrict-runtime-images-to-origin) for details.
+- **`strict`**: Enable strict security mode. Requires `secret`, disables the deprecated `html` option, defaults `maxQueryParamSize` to `2048`, and enables `restrictRuntimeImagesToOrigin`. Default `false`. See the [Security Guide](/docs/og-image/guides/security#strict-mode) for details.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
   ogImage: {
     security: {
+      strict: true,
       secret: process.env.OG_IMAGE_SECRET,
-      maxDimension: 2048,
-      maxDpr: 2,
-      renderTimeout: 15000,
-      restrictRuntimeImagesToOrigin: true, // lock to site config URL host
-      // or: ['https://cdn.example.com'] // allow additional hosts
     }
   }
 })
diff --git a/src/module.ts b/src/module.ts
@@ -235,8 +235,20 @@ export interface ModuleOptions {
      *
      * Must be a stable string across deployments. Generate one with:
      * `npx nuxt-og-image generate-secret`
+     *
+     * Required when `strict` is enabled.
      */
     secret?: string
+    /**
+     * Enable strict security mode. When enabled:
+     * - `secret` is required (URL signing)
+     * - The `html` option is disabled (prevents SSRF via inline HTML injection)
+     * - `maxQueryParamSize` defaults to `2048`
+     * - `restrictRuntimeImagesToOrigin` defaults to `true`
+     *
+     * @default false
+     */
+    strict?: boolean
   }
 }
 
@@ -337,6 +349,10 @@ export default defineNuxtModule<ModuleOptions>({
       logger.warn('`ogImage.debug` is enabled in production. This exposes the `/_og/debug.json` endpoint and should not be enabled in production. Disable it before deploying.')
     }
 
+    if (config.security?.strict && !config.security?.secret) {
+      throw new Error('[nuxt-og-image] `security.strict` requires `security.secret` to be set. Generate one with: npx nuxt-og-image generate-secret')
+    }
+
     if (nuxt.options.dev && !config.zeroRuntime && !config.security?.secret) {
       logger.warn([
         'OG image URLs are not signed. Anyone can craft arbitrary image generation requests.',
@@ -1444,11 +1460,12 @@ export const rootDir = ${JSON.stringify(nuxt.options.rootDir)}`
             }
           : undefined,
         security: {
+          strict: config.security?.strict ?? false,
           maxDimension: config.security?.maxDimension ?? 2048,
           maxDpr: config.security?.maxDpr ?? 2,
           renderTimeout: config.security?.renderTimeout ?? 15_000,
-          maxQueryParamSize: config.security?.maxQueryParamSize ?? null,
-          restrictRuntimeImagesToOrigin: config.security?.restrictRuntimeImagesToOrigin === true
+          maxQueryParamSize: config.security?.maxQueryParamSize ?? (config.security?.strict ? 2048 : null),
+          restrictRuntimeImagesToOrigin: config.security?.restrictRuntimeImagesToOrigin === true || (config.security?.strict && config.security?.restrictRuntimeImagesToOrigin == null)
             ? []
             : (config.security?.restrictRuntimeImagesToOrigin || false),
           secret: config.security?.secret || '',
diff --git a/src/runtime/server/og-image/browser/screenshot.ts b/src/runtime/server/og-image/browser/screenshot.ts
@@ -5,6 +5,7 @@ import { getNitroOrigin } from '#site-config/server/composables'
 import { withQuery } from 'ufo'
 import { toValue } from 'vue'
 import { buildOgImageUrl } from '../../../shared'
+import { logger } from '../../util/logger'
 import { useOgImageRuntimeConfig } from '../../utils'
 
 // Detect if we're using Playwright or Puppeteer
@@ -104,6 +105,9 @@ export async function createScreenshot({ basePath, e, options, extension }: OgIm
   }
 
   try {
+    if (options.html) {
+      logger.warn('The `html` option is deprecated and will be removed in the next major version. Use a Vue component instead.')
+    }
     if (import.meta.prerender && !options.html) {
       // we need to do a nitro fetch for the HTML instead of rendering with browser
       options.html = await e.$fetch(path).catch(() => undefined) as string
diff --git a/src/runtime/server/og-image/context.ts b/src/runtime/server/og-image/context.ts
@@ -154,6 +154,8 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
         queryParams[k] = v
       }
     }
+    // Always strip html from query params before separation to prevent SSRF via inline HTML injection
+    delete queryParams.html
     queryParams = separateProps(queryParams)
   }
 
@@ -163,6 +165,10 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
   delete urlOptions._path
   delete urlOptions._hash // Remove internal hash field
   delete urlOptions._componentHash // Not needed for rendering
+  // In strict mode, strip html from URL options (disables the feature entirely)
+  if (runtimeConfig.security?.strict) {
+    delete urlOptions.html
+  }
 
   const basePathWithQuery = queryParams._query && typeof queryParams._query === 'object'
     ? withQuery(basePath, queryParams._query)
diff --git a/src/runtime/server/og-image/core/vnodes.ts b/src/runtime/server/og-image/core/vnodes.ts
@@ -225,6 +225,9 @@ export interface CreateVNodesOptions {
 
 export async function createVNodes(ctx: OgImageRenderEventContext, options?: CreateVNodesOptions): Promise<VNode> {
   let html = ctx.options.html
+  if (html) {
+    logger.warn('The `html` option is deprecated and will be removed in the next major version. Use a Vue component instead.')
+  }
   if (!html) {
     const island = await fetchIsland(ctx.e, ctx.options.component!, typeof ctx.options.props !== 'undefined' ? ctx.options.props as Record<string, any> : ctx.options)
     // this fixes any inline style props that need to be wrapped in single quotes, such as:
diff --git a/src/runtime/types.ts b/src/runtime/types.ts
@@ -72,6 +72,7 @@ export interface OgImageRuntimeConfig {
     maxQueryParamSize: number | null
     restrictRuntimeImagesToOrigin: false | string[]
     secret: string
+    strict: boolean
   }
 
   app: {
@@ -159,6 +160,9 @@ export interface OgImageOptions {
   emojis?: IconifyEmojiIconSets | false
   /**
    * Provide a static HTML template to render the OG Image instead of a component.
+   *
+   * @deprecated The `html` option will be removed in the next major version due to SSRF risk.
+   * Use a Vue component instead. Disabled when `security.strict` is enabled.
    */
   html?: string
   // vendor config
diff --git a/test/unit/strict-mode.test.ts b/test/unit/strict-mode.test.ts
@@ -0,0 +1,73 @@
+import { describe, expect, it } from 'vitest'
+
+/**
+ * Tests for security.strict mode config resolution.
+ * Mirrors the logic in module.ts for resolving security defaults.
+ */
+function resolveSecurityConfig(config?: {
+  strict?: boolean
+  secret?: string
+  maxQueryParamSize?: number | null
+  restrictRuntimeImagesToOrigin?: boolean | string[]
+}) {
+  return {
+    strict: config?.strict ?? false,
+    maxDimension: 2048,
+    maxDpr: 2,
+    renderTimeout: 15_000,
+    maxQueryParamSize: config?.maxQueryParamSize ?? (config?.strict ? 2048 : null),
+    restrictRuntimeImagesToOrigin: config?.restrictRuntimeImagesToOrigin === true || (config?.strict && config?.restrictRuntimeImagesToOrigin == null)
+      ? []
+      : (config?.restrictRuntimeImagesToOrigin || false),
+    secret: config?.secret || '',
+  }
+}
+
+describe('security.strict mode defaults', () => {
+  it('defaults to non-strict with no limits', () => {
+    const result = resolveSecurityConfig()
+    expect(result.strict).toBe(false)
+    expect(result.maxQueryParamSize).toBeNull()
+    expect(result.restrictRuntimeImagesToOrigin).toBe(false)
+  })
+
+  it('strict mode sets maxQueryParamSize to 2048', () => {
+    const result = resolveSecurityConfig({ strict: true, secret: 'test' })
+    expect(result.maxQueryParamSize).toBe(2048)
+  })
+
+  it('strict mode enables restrictRuntimeImagesToOrigin', () => {
+    const result = resolveSecurityConfig({ strict: true, secret: 'test' })
+    expect(result.restrictRuntimeImagesToOrigin).toEqual([])
+  })
+
+  it('explicit maxQueryParamSize overrides strict default', () => {
+    const result = resolveSecurityConfig({ strict: true, secret: 'test', maxQueryParamSize: 4096 })
+    expect(result.maxQueryParamSize).toBe(4096)
+  })
+
+  it('explicit restrictRuntimeImagesToOrigin array overrides strict default', () => {
+    const result = resolveSecurityConfig({
+      strict: true,
+      secret: 'test',
+      restrictRuntimeImagesToOrigin: ['https://cdn.example.com'],
+    })
+    expect(result.restrictRuntimeImagesToOrigin).toEqual(['https://cdn.example.com'])
+  })
+
+  it('explicit restrictRuntimeImagesToOrigin false overrides strict default', () => {
+    const result = resolveSecurityConfig({
+      strict: true,
+      secret: 'test',
+      restrictRuntimeImagesToOrigin: false,
+    })
+    expect(result.restrictRuntimeImagesToOrigin).toBe(false)
+  })
+
+  it('strict mode requires secret (validated at module setup)', () => {
+    // Module setup throws when strict is true and secret is missing.
+    // This test documents the contract; the actual throw is in module.ts setup().
+    const config = { strict: true }
+    expect(config.strict && !config.secret).toBe(true)
+  })
+})

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,8 @@ export async function resolveContext(e: H3Event): Promise<H3Error \| OgImageRende`
`154`	`154`	`queryParams[k] = v`
`155`	`155`	`}`
`156`	`156`	`}`
	`157`	`+ // Always strip html from query params before separation to prevent SSRF via inline HTML injection`
	`158`	`+ delete queryParams.html`
`157`	`159`	`queryParams = separateProps(queryParams)`
`158`	`160`	`}`
`159`	`161`
`@@ -163,6 +165,10 @@ export async function resolveContext(e: H3Event): Promise<H3Error \| OgImageRende`
`163`	`165`	`delete urlOptions._path`
`164`	`166`	`delete urlOptions._hash // Remove internal hash field`
`165`	`167`	`delete urlOptions._componentHash // Not needed for rendering`
	`168`	`+ // In strict mode, strip html from URL options (disables the feature entirely)`
	`169`	`+ if (runtimeConfig.security?.strict) {`
	`170`	`+ delete urlOptions.html`
	`171`	`+ }`
`166`	`172`
`167`	`173`	`const basePathWithQuery = queryParams._query && typeof queryParams._query === 'object'`
`168`	`174`	`? withQuery(basePath, queryParams._query)`