feat(security): add URL signing to prevent parameter tampering (#546)

harlan-zw · web-flow · commit 87a2539209e4 · 2026-03-28T17:19:38.000+11:00
diff --git a/docs/content/3.guides/13.security.md b/docs/content/3.guides/13.security.md
@@ -3,21 +3,66 @@ title: Security
 description: Learn about the security defaults and how to further harden your OG image endpoint.
 ---
 
-Nuxt OG Image ships with secure defaults by default. Image dimensions are clamped, renders are time limited, internal network requests are blocked, and user provided props are sanitized. No configuration is needed for these protections.
+Nuxt OG Image ships with secure defaults. Image dimensions are clamped, renders are time limited, internal network requests are blocked, and user provided props are sanitized. No configuration is needed for these protections.
 
-If you want to lock things down further, the `security` config key gives you additional controls.
+The primary security concern with runtime OG image generation is **denial of service**: without protection, anyone can craft arbitrary image generation requests to your `/_og/d/` endpoint, consuming server CPU and memory. URL signing prevents this by ensuring only your application can generate valid image URLs.
+
+For full protection, we recommend combining URL signing with a **web application firewall** (WAF) or rate limiting on the `/_og/` path prefix. Services like [Cloudflare](https://cloudflare.com), AWS WAF, or your hosting provider's built-in rate limiting can add an additional layer of defense.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
   ogImage: {
     security: {
-      restrictRuntimeImagesToOrigin: true,
-      maxQueryParamSize: 2048,
+      secret: process.env.OG_IMAGE_SECRET,
     }
   }
 })
 ```
 
+## URL Signing
+
+When a signing secret is configured, every OG image URL includes a cryptographic signature in the path. The server verifies this signature before rendering, rejecting any URL that has been tampered with or crafted manually.
+
+This prevents unauthorized image generation requests that would otherwise consume server resources.
+
+### Setup
+
+1. Generate a secret:
+
+```bash
+npx nuxt-og-image generate-secret
+```
+
+2. Set the environment variable and reference it in your config:
+
+```ts [nuxt.config.ts]
+export default defineNuxtConfig({
+  ogImage: {
+    security: {
+      secret: process.env.OG_IMAGE_SECRET,
+    }
+  }
+})
+```
+
+### How It Works
+
+When a secret is configured:
+- `defineOgImage()`{lang="ts"} appends a signature to the URL path: `/_og/d/w_1200,h_600,s_abc123def456.png`
+- The server extracts and verifies the signature before processing the request
+- Requests with missing or invalid signatures receive a `403` response
+- All query parameter overrides are ignored (the signed path is the single source of truth)
+
+The signature is deterministic: the same options with the same secret always produce the same URL. This means URLs are stable across server restarts and deployments as long as the secret does not change.
+
+### Defense in Depth
+
+URL signing works alongside the other security options (`maxDimension`, `maxQueryParamSize`, `renderTimeout`, `restrictRuntimeImagesToOrigin`) which continue to apply as defense-in-depth. When signing is active, query parameter overrides are ignored but the query string size limit still applies to reduce parsing overhead.
+
+::note
+Dev mode and prerendering bypass signature verification. Signing only applies to runtime requests in production.
+::
+
 ## Prerender Your Images
 
 The most effective security measure is to **prerender your OG images at build time** using [Zero Runtime mode](/docs/og-image/guides/zero-runtime). Prerendered images are served as static files with no runtime rendering code in your production build.
@@ -61,7 +106,7 @@ export default defineNuxtConfig({
 
 ## Query String Size Limit
 
-OG image options can be passed via query parameters. By default there is no size limit on the query string, but you can set `maxQueryParamSize` to reject requests with oversized query strings.
+OG image options can be passed via query parameters when URL signing is not enabled. You can set `maxQueryParamSize` to reject requests with oversized query strings.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
@@ -75,6 +120,10 @@ export default defineNuxtConfig({
 
 Requests exceeding this limit receive a `400` response.
 
+::note
+When URL signing is active, query parameter overrides are ignored, but this size limit still applies to reduce request parsing overhead.
+::
+
 If you find yourself passing large amounts of data through query parameters (titles, descriptions, full text), consider loading that data inside your OG image component instead. See the [Performance guide](/docs/og-image/guides/performance#reduce-url-size) for the recommended pattern.
 
 ## Restrict Runtime Images to Origin
diff --git a/docs/content/4.api/3.config.md b/docs/content/4.api/3.config.md
@@ -180,6 +180,7 @@ See the [Browser Renderer](/docs/og-image/renderers/browser) guide for more deta
 
 Security limits for image generation. See the [Security Guide](/docs/og-image/guides/security) for full details.
 
+- **`secret`**: Signing secret for URL tamper protection. When set, all runtime OG image URLs are signed and unsigned requests are rejected with `403`. Generate one with `npx nuxt-og-image generate-secret`. See the [Security Guide](/docs/og-image/guides/security#url-signing) for details.
 - **`maxDimension`**: Maximum width or height in pixels. Default `2048`.
 - **`maxDpr`**: Maximum device pixel ratio (Takumi renderer). Default `2`.
 - **`renderTimeout`**: Milliseconds before the render is aborted with a `408` response. Default `15000`.
@@ -190,6 +191,7 @@ Security limits for image generation. See the [Security Guide](/docs/og-image/gu
 export default defineNuxtConfig({
   ogImage: {
     security: {
+      secret: process.env.OG_IMAGE_SECRET,
       maxDimension: 2048,
       maxDpr: 2,
       renderTimeout: 15000,
diff --git a/src/cli.ts b/src/cli.ts
@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import { randomBytes } from 'node:crypto'
 import { existsSync, mkdirSync, readdirSync, readFileSync, renameSync, writeFileSync } from 'node:fs'
 import { fileURLToPath } from 'node:url'
 import * as p from '@clack/prompts'
@@ -1660,6 +1661,26 @@ async function runEnable(renderer: string, args: string[]): Promise<void> {
   p.outro('Done')
 }
 
+function generateSecret() {
+  const secret = randomBytes(32).toString('hex')
+  p.intro('nuxt-og-image generate-secret')
+  p.note([
+    `${secret}`,
+    '',
+    'Add this to your nuxt.config.ts:',
+    '',
+    '  ogImage: {',
+    '    security: {',
+    `      secret: process.env.OG_IMAGE_SECRET,`,
+    '    }',
+    '  }',
+    '',
+    'Then set the environment variable:',
+    `  OG_IMAGE_SECRET=${secret}`,
+  ].join('\n'), 'Generated Secret')
+  p.outro('')
+}
+
 function showHelp() {
   p.intro('nuxt-og-image CLI')
   p.note([
@@ -1673,6 +1694,7 @@ function showHelp() {
     '                  Options: --edge (install wasm versions for edge runtimes)',
     'migrate v6        Migrate to v6 (component suffixes + new API)',
     '                  Options: --dry-run, --yes, --renderer <renderer>',
+    'generate-secret   Generate a signing secret for URL tamper protection',
   ].join('\n'), 'Commands')
   p.outro('')
 }
@@ -1713,6 +1735,9 @@ else if (command === 'migrate') {
 else if (command === 'switch') {
   runSwitch(args.slice(1))
 }
+else if (command === 'generate-secret') {
+  generateSecret()
+}
 else if (command === 'enable') {
   const renderer = args[1]
   if (!renderer) {
diff --git a/src/module.ts b/src/module.ts
@@ -228,6 +228,15 @@ export interface ModuleOptions {
      * @default false
      */
     restrictRuntimeImagesToOrigin?: boolean | string[]
+    /**
+     * Secret for URL signing. When set, all runtime OG image URLs include a
+     * keyed hash signature and the handler rejects requests with missing or
+     * invalid signatures.
+     *
+     * Must be a stable string across deployments. Generate one with:
+     * `npx nuxt-og-image generate-secret`
+     */
+    secret?: string
   }
 }
 
@@ -328,6 +337,20 @@ export default defineNuxtModule<ModuleOptions>({
       logger.warn('`ogImage.debug` is enabled in production. This exposes the `/_og/debug.json` endpoint and should not be enabled in production. Disable it before deploying.')
     }
 
+    if (nuxt.options.dev && !config.zeroRuntime && !config.security?.secret) {
+      logger.warn([
+        'OG image URLs are not signed. Anyone can craft arbitrary image generation requests.',
+        '',
+        'Either set a signing secret:',
+        '  ogImage: { security: { secret: process.env.OG_IMAGE_SECRET } }',
+        '',
+        '  Generate one with: npx nuxt-og-image generate-secret',
+        '',
+        'Or enable zero-runtime mode to disable dynamic generation entirely:',
+        '  ogImage: { zeroRuntime: true }',
+      ].join('\n'))
+    }
+
     // Check for removed/deprecated config options
     const ogImageConfig = config as unknown as Record<string, unknown>
     for (const key of Object.keys(REMOVED_CONFIG)) {
@@ -1428,6 +1451,7 @@ export const rootDir = ${JSON.stringify(nuxt.options.rootDir)}`
           restrictRuntimeImagesToOrigin: config.security?.restrictRuntimeImagesToOrigin === true
             ? []
             : (config.security?.restrictRuntimeImagesToOrigin || false),
+          secret: config.security?.secret || '',
         },
       }
       if (nuxt.options.dev) {
diff --git a/src/runtime/app/utils.ts b/src/runtime/app/utils.ts
@@ -171,7 +171,7 @@ export interface GetOgImagePathResult {
 export function getOgImagePath(_pagePath: string, _options?: Partial<OgImageOptionsInternal>): GetOgImagePathResult {
   const runtimeConfig = useRuntimeConfig()
   const baseURL = runtimeConfig.app.baseURL
-  const { defaults } = useOgImageRuntimeConfig()
+  const { defaults, security } = useOgImageRuntimeConfig()
   const extension = _options?.extension || defaults?.extension || 'png'
   const isStatic = import.meta.prerender
   const options: Record<string, any> = { ..._options, _path: _pagePath }
@@ -184,7 +184,7 @@ export function getOgImagePath(_pagePath: string, _options?: Partial<OgImageOpti
   // Build URL with encoded options (Cloudinary-style)
   // Include _path so the server knows which page to render
   // Pass defaults to skip encoding default values in URL
-  const result = buildOgImageUrl(options, extension, isStatic, defaults)
+  const result = buildOgImageUrl(options, extension, isStatic, defaults, security?.secret || undefined)
   const path = joinURL('/', baseURL, result.url)
   return {
     path,
diff --git a/src/runtime/server/og-image/browser/screenshot.ts b/src/runtime/server/og-image/browser/screenshot.ts
@@ -79,9 +79,9 @@ async function takeScreenshot(page: Page, selector: string | undefined, options:
 }
 
 export async function createScreenshot({ basePath, e, options, extension }: OgImageRenderEventContext, browser: Browser): Promise<Buffer> {
-  const { colorPreference, defaults } = useOgImageRuntimeConfig()
+  const { colorPreference, defaults, security } = useOgImageRuntimeConfig()
   // For browser renderer, we need to load the HTML template with options encoded in URL
-  const path = options.component === 'PageScreenshot' ? basePath : buildOgImageUrl(options, 'html', false, defaults).url
+  const path = options.component === 'PageScreenshot' ? basePath : buildOgImageUrl(options, 'html', false, defaults, security?.secret || undefined).url
 
   // Create page - Playwright and Puppeteer have different newPage signatures
   let page: Page
diff --git a/src/runtime/server/og-image/context.ts b/src/runtime/server/og-image/context.ts
@@ -17,14 +17,15 @@ import { hash } from 'ohash'
 import { parseURL, withoutLeadingSlash, withoutTrailingSlash, withQuery } from 'ufo'
 import { normalizeKey } from 'unstorage'
 import { logger } from '../../logger'
-import { decodeOgImageParams, extractEncodedSegment, sanitizeProps, separateProps } from '../../shared'
+import { decodeOgImageParams, extractEncodedSegment, sanitizeProps, separateProps, verifyOgImageSignature } from '../../shared'
 import { autoEjectCommunityTemplate } from '../util/auto-eject'
 import { createNitroRouteRuleMatcher } from '../util/kit'
 import { normaliseOptions } from '../util/options'
 import { useOgImageRuntimeConfig } from '../utils'
 import { getBrowserRenderer, getSatoriRenderer, getTakumiRenderer } from './instances'
 
 const RE_HASH_MODE = /^o_([a-z0-9]+)$/i
+const RE_SIGNATURE_SUFFIX = /,s_([^,]+)$/
 
 export function resolvePathCacheKey(e: H3Event, path: string, resolvedOptions?: Record<string, any>) {
   const siteConfig = getSiteConfig(e, {
@@ -64,8 +65,34 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
   // Hash mode: /_og/d/o_<hash>.png (for long URLs)
   const encodedSegment = extractEncodedSegment(path, extension)
 
+  // Extract and verify URL signature when signing is enabled
+  const secret = runtimeConfig.security?.secret
+  let paramsSegment = encodedSegment
+  if (secret && !import.meta.dev && !import.meta.prerender) {
+    // Extract signature (last ,s_<value> in the segment)
+    const sigMatch = encodedSegment.match(RE_SIGNATURE_SUFFIX)
+    if (!sigMatch) {
+      return createError({
+        statusCode: 403,
+        statusMessage: '[Nuxt OG Image] Missing URL signature. Configure security.secret to sign URLs.',
+      })
+    }
+    const signature = sigMatch[1]!
+    paramsSegment = encodedSegment.slice(0, sigMatch.index!)
+    if (!verifyOgImageSignature(paramsSegment, signature, secret!)) {
+      return createError({
+        statusCode: 403,
+        statusMessage: '[Nuxt OG Image] Invalid URL signature.',
+      })
+    }
+  }
+  else if (secret && RE_SIGNATURE_SUFFIX.test(encodedSegment)) {
+    // Strip signature in dev/prerender so it doesn't pollute decoded params
+    paramsSegment = encodedSegment.replace(RE_SIGNATURE_SUFFIX, '')
+  }
+
   // Check for hash mode (o_<hash>)
-  const hashMatch = encodedSegment.match(RE_HASH_MODE)
+  const hashMatch = paramsSegment.match(RE_HASH_MODE)
   let urlOptions: Record<string, any> = {}
 
   if (hashMatch) {
@@ -92,10 +119,10 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
     }
   }
   else {
-    urlOptions = decodeOgImageParams(encodedSegment)
+    urlOptions = decodeOgImageParams(paramsSegment)
   }
 
-  // Reject oversized query strings to limit abuse surface
+  // Reject oversized query strings to reduce parsing overhead
   const maxQueryParamSize = runtimeConfig.security?.maxQueryParamSize
   if (maxQueryParamSize && !import.meta.prerender) {
     const queryString = parseURL(e.path).search || ''
@@ -107,26 +134,28 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
     }
   }
 
-  // Also support query params for backwards compat and dynamic overrides
-  const query = getQuery(e)
+  // When URL signing is active, ignore all query param overrides to prevent injection
   let queryParams: Record<string, any> = {}
-  for (const k in query) {
-    const v = String(query[k])
-    if (!v)
-      continue
-    if (v.startsWith('{')) {
-      try {
-        queryParams[k] = JSON.parse(v)
+  if (!secret || import.meta.dev || import.meta.prerender) {
+    const query = getQuery(e)
+    for (const k in query) {
+      const v = String(query[k])
+      if (!v)
+        continue
+      if (v.startsWith('{')) {
+        try {
+          queryParams[k] = JSON.parse(v)
+        }
+        catch {
+          // ignore parse errors
+        }
       }
-      catch {
-        // ignore parse errors
+      else {
+        queryParams[k] = v
       }
     }
-    else {
-      queryParams[k] = v
-    }
+    queryParams = separateProps(queryParams)
   }
-  queryParams = separateProps(queryParams)
 
   // basePath is used for route rules matching - can be provided via _path param
   const basePath = withoutTrailingSlash(urlOptions._path || '/')
diff --git a/src/runtime/server/utils.ts b/src/runtime/server/utils.ts
@@ -12,7 +12,7 @@ export interface GetOgImagePathResult {
 
 export function getOgImagePath(_pagePath: string, _options?: Partial<OgImageOptionsInternal>): GetOgImagePathResult {
   const baseURL = useRuntimeConfig().app.baseURL
-  const { defaults } = useOgImageRuntimeConfig()
+  const { defaults, security } = useOgImageRuntimeConfig()
   const extension = _options?.extension || defaults.extension
   const isStatic = import.meta.prerender
   const options: Record<string, any> = { ..._options, _path: _pagePath }
@@ -24,7 +24,7 @@ export function getOgImagePath(_pagePath: string, _options?: Partial<OgImageOpti
     options._componentHash = component.hash
   // Include _path so the server knows which page to render
   // Pass defaults to skip encoding default values in URL
-  const result = buildOgImageUrl(options, extension, isStatic, defaults)
+  const result = buildOgImageUrl(options, extension, isStatic, defaults, security?.secret || undefined)
   return {
     path: joinURL('/', baseURL, result.url),
     hash: result.hash,
diff --git a/src/runtime/shared.ts b/src/runtime/shared.ts
@@ -4,7 +4,7 @@ import { defu } from 'defu'
 import { toValue } from 'vue'
 
 export { extractSocialPreviewTags, toBase64Image } from './pure'
-export { buildOgImageUrl, decodeOgImageParams, encodeOgImageParams, extractEncodedSegment, hashOgImageOptions, parseOgImageUrl } from './shared/urlEncoding'
+export { buildOgImageUrl, decodeOgImageParams, encodeOgImageParams, extractEncodedSegment, hashOgImageOptions, parseOgImageUrl, signEncodedParams, verifyOgImageSignature } from './shared/urlEncoding'
 
 const RE_KEBAB_CASE = /-([a-z])/g
 
@@ -60,7 +60,6 @@ function filterIsOgImageOption(key: string) {
     'alt',
     'props',
     'renderer',
-    'html',
     'component',
     'emojis',
     '_query',
diff --git a/src/runtime/shared/urlEncoding.ts b/src/runtime/shared/urlEncoding.ts
diff --git a/src/runtime/types.ts b/src/runtime/types.ts
diff --git a/test/unit/url-signing.test.ts b/test/unit/url-signing.test.ts
