fix: prefer runtime config for secret

harlan-zw · harlan-zw · commit 651962d0a5a5 · 2026-03-30T12:16:56.000+11:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,22 @@
 # Changelog
 
 
+## v6.2.6...main
+
+[compare changes](https://github.com/nuxt-modules/og-image/compare/v6.2.6...main)
+
+### 🚀 Enhancements
+
+- **security:** Add URL signing to prevent parameter tampering ([#546](https://github.com/nuxt-modules/og-image/pull/546))
+
+### 🩹 Fixes
+
+- **security:** Strict mode, deprecate `html` ([#545](https://github.com/nuxt-modules/og-image/pull/545))
+
+### ❤️ Contributors
+
+- Harlan Wilton ([@harlan-zw](https://github.com/harlan-zw))
+
 ## v6.2.4...main
 
 [compare changes](https://github.com/nuxt-modules/og-image/compare/v6.2.4...main)
diff --git a/docs/content/3.guides/13.security.md b/docs/content/3.guides/13.security.md
@@ -9,17 +9,22 @@ The primary security concern with runtime OG image generation is **denial of ser
 
 For full protection, we recommend combining URL signing with a **web application firewall** (WAF) or rate limiting on the `/_og/` path prefix. Services like [Cloudflare](https://cloudflare.com), AWS WAF, or your hosting provider's built-in rate limiting can add an additional layer of defense.
 
+```bash [.env]
+NUXT_OG_IMAGE_SECRET=<your-secret>
+```
+
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
   ogImage: {
     security: {
       strict: true,
-      secret: process.env.OG_IMAGE_SECRET,
     }
   }
 })
 ```
 
+The secret is automatically picked up from the `NUXT_OG_IMAGE_SECRET` environment variable.
+
 ## Strict Mode
 
 Enabling `strict` mode applies all recommended security defaults in a single flag:
@@ -51,13 +56,19 @@ This prevents unauthorized image generation requests that would otherwise consum
 npx nuxt-og-image generate-secret
 ```
 
-2. Set the environment variable and reference it in your config:
+2. Set the environment variable:
+
+```bash [.env]
+NUXT_OG_IMAGE_SECRET=<your-secret>
+```
+
+Alternatively, you can set the secret directly in your nuxt config:
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
   ogImage: {
     security: {
-      secret: process.env.OG_IMAGE_SECRET,
+      secret: 'your-secret',
     }
   }
 })
diff --git a/docs/content/4.api/3.config.md b/docs/content/4.api/3.config.md
@@ -188,12 +188,15 @@ Security limits for image generation. See the [Security Guide](/docs/og-image/gu
 - **`restrictRuntimeImagesToOrigin`**: Restrict runtime image generation to requests whose `Host` header matches allowed hosts. Default `false`. See the [Security Guide](/docs/og-image/guides/security#restrict-runtime-images-to-origin) for details.
 - **`strict`**: Enable strict security mode. Requires `secret`, disables the deprecated `html` option, defaults `maxQueryParamSize` to `2048`, and enables `restrictRuntimeImagesToOrigin`. Default `false`. See the [Security Guide](/docs/og-image/guides/security#strict-mode) for details.
 
+```bash [.env]
+NUXT_OG_IMAGE_SECRET=<your-secret>
+```
+
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
   ogImage: {
     security: {
       strict: true,
-      secret: process.env.OG_IMAGE_SECRET,
     }
   }
 })
diff --git a/src/cli.ts b/src/cli.ts
@@ -1664,20 +1664,12 @@ async function runEnable(renderer: string, args: string[]): Promise<void> {
 function generateSecret() {
   const secret = randomBytes(32).toString('hex')
   p.intro('nuxt-og-image generate-secret')
-  p.note([
-    `${secret}`,
-    '',
-    'Add this to your nuxt.config.ts:',
-    '',
-    '  ogImage: {',
-    '    security: {',
-    `      secret: process.env.OG_IMAGE_SECRET,`,
-    '    }',
-    '  }',
-    '',
-    'Then set the environment variable:',
-    `  OG_IMAGE_SECRET=${secret}`,
-  ].join('\n'), 'Generated Secret')
+  p.log.step(`Secret: ${secret}`)
+  p.log.message('')
+  p.log.message('Set the environment variable:')
+  p.log.message(`  NUXT_OG_IMAGE_SECRET=${secret}`)
+  p.log.message('')
+  p.log.message('The secret is automatically picked up via runtime config.')
   p.outro('')
 }
 
diff --git a/src/module.ts b/src/module.ts
@@ -349,16 +349,18 @@ export default defineNuxtModule<ModuleOptions>({
       logger.warn('`ogImage.debug` is enabled in production. This exposes the `/_og/debug.json` endpoint and should not be enabled in production. Disable it before deploying.')
     }
 
-    if (config.security?.strict && !config.security?.secret) {
-      throw new Error('[nuxt-og-image] `security.strict` requires `security.secret` to be set. Generate one with: npx nuxt-og-image generate-secret')
+    const hasSecret = !!(config.security?.secret || process.env.NUXT_OG_IMAGE_SECRET)
+
+    if (config.security?.strict && !hasSecret) {
+      throw new Error('[nuxt-og-image] `security.strict` requires a signing secret. Generate one with: npx nuxt-og-image generate-secret')
     }
 
-    if (nuxt.options.dev && !config.zeroRuntime && !config.security?.secret) {
+    if (nuxt.options.dev && !config.zeroRuntime && !hasSecret) {
       logger.warn([
         'OG image URLs are not signed. Anyone can craft arbitrary image generation requests.',
         '',
-        'Either set a signing secret:',
-        '  ogImage: { security: { secret: process.env.OG_IMAGE_SECRET } }',
+        'Set a signing secret via env variable:',
+        '  NUXT_OG_IMAGE_SECRET=<secret>',
         '',
         '  Generate one with: npx nuxt-og-image generate-secret',
         '',
@@ -1468,7 +1470,7 @@ export const rootDir = ${JSON.stringify(nuxt.options.rootDir)}`
           restrictRuntimeImagesToOrigin: config.security?.restrictRuntimeImagesToOrigin === true || (config.security?.strict && config.security?.restrictRuntimeImagesToOrigin == null)
             ? []
             : (config.security?.restrictRuntimeImagesToOrigin || false),
-          secret: config.security?.secret || '',
+          secret: config.security?.secret || process.env.NUXT_OG_IMAGE_SECRET || '',
         },
       }
       if (nuxt.options.dev) {
