fix(security): allow disabling proxy signing with security: false

[harlan-zw]

🔗 Linked issue

Resolves #783

❓ Type of change

• 📖 Documentation
• 🐞 Bug fix
• 👌 Enhancement
• ✨ New feature
• 🧹 Chore
• ⚠️ Breaking change

📚 Description

The proxy page token is injected into the SSR payload on every request, so the response hash changes each time. This breaks computing a stable etag, and the only way to avoid it was to leave the proxy secret unset (not possible in dev, where it auto-generates).

security now accepts false. When set, the module resolves no secret, auto-generates nothing into .env, skips the page token plugin, and withSigning passes proxy requests through without verification. This is a clean, single-flag opt-out of all proxy security. Documented in the first-party guide.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scripts-playground	Error		May 21, 2026 5:09am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2351458d-7a26-482b-808c-22e1ef2c1858

📥 Commits

Reviewing files that changed from the base of the PR and between f46ccb6 and f5cbad4.

📒 Files selected for processing (2)

• docs/content/docs/1.guides/2.first-party.md
• packages/script/src/module.ts

---

📝 Walkthrough

Walkthrough

This PR adds a pageToken option to the scripts.security configuration to control whether a per-request proxy page token is emitted into the SSR payload. When disabled, the token is excluded from the payload, allowing response ETags to remain stable across requests. The proxy-token.server plugin registration is now conditional based on this option instead of registering unconditionally when signing is enabled. Documentation and troubleshooting guidance are added to explain the feature's behavior and implications for response hashing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: allowing users to opt out of proxy page token inclusion in SSR payload.
Description check	✅ Passed	The description is directly related to the changeset, explaining the problem, solution, and implementation including the new security.pageToken option and documentation updates.
Linked Issues check	✅ Passed	The PR fully addresses issue #783 by implementing a configurable pageToken option that allows opting out of proxy token injection, enabling stable response hashing and etag computation.
Out of Scope Changes check	✅ Passed	All changes are in scope: documentation updates to the first-party guide, module interface updates to add pageToken option, and conditional plugin registration logic directly addressing the linked issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/proxy-token-opt-out

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/scripts@789

commit: f5cbad4