Fix Improper Assets Management in Nuxt
Nuxt's directory structure defines your attack surface. The 'public/' folder is a zero-auth static file server. Improper asset management occurs when developers leak internal configuration, source maps, or sensitive metadata by misplacing them in the web root or failing to filter build artifacts. In Nuxt, if a file is in 'public/', an attacker doesn't need a bypass—they just need the URL. Stop treating your static folder like a junk drawer.
The Vulnerable Pattern
// File: public/config.json - EXPOSED TO WORLD { "INTERNAL_API_URL": "http://10.0.0.5:9000", "DEBUG_TOKEN": "secret-123" }// File: nuxt.config.ts export default defineNuxtConfig({ // VULNERABILITY: Enabling source maps in production // This allows attackers to reconstruct your entire frontend source code sourcemap: true,
// VULNERABILITY: Hardcoding sensitive keys in public runtimeConfig runtimeConfig: { public: { STRIPE_SECRET_KEY: ‘sk_test_51…’ } } })
The Secure Implementation
Hardening Nuxt assets requires a strict 'deny-by-default' mindset. 1. The 'public/' directory should only contain images, robots.txt, and icons; never JSON configs or internal docs. 2. Use 'runtimeConfig' correctly: variables outside the 'public' key are accessible only on the server via 'useRuntimeConfig()', preventing leakage to the browser. 3. Strip source maps in production to prevent reverse engineering of your business logic. 4. Audit 'dist/' or '.output/' folders after builds to ensure no '.env' or '.git' files were accidentally copied into the deployment artifact.
// File: .env - Keep secrets in environment variables NUXT_STRIPE_SECRET_KEY=sk_live_...// File: nuxt.config.ts export default defineNuxtConfig({ // SECURE: Disable source maps for production builds sourcemap: { client: process.env.NODE_ENV !== ‘production’, server: false },
runtimeConfig: { // SECURE: Keep sensitive keys outside the ‘public’ object // This ensures they stay on the server-side only stripeSecretKey: process.env.NUXT_STRIPE_SECRET_KEY, public: { // Only non-sensitive, client-facing configuration apiBase: ‘/api’ } } })
Your Nuxt API
might be exposed to Improper Assets Management
74% of Nuxt apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.