chore(nuxt): switch ogImage security to strict mode (#153)

### 🔗 Linked issue

<!-- Please ensure there is an open issue and mention its number. For
example, "resolves #123" -->

### 🧭 Context

The `nuxt-og-image` module exposes a security option to control how OG
image requests are validated. Previously the config used
`maxQueryParamSize: 2048` to limit query string length. The module's
recommended hardened default is `strict: true`, which enables all
protections at once.

### 📚 Description

Replaces the `maxQueryParamSize: 2048` option inside `ogImage.security`
with `strict: true` in `nuxt.config.ts`.

`strict: true` enables the full security surface of the `nuxt-og-image`
module (signature verification, query-param constraints, and other
hardening) rather than only capping the query param size. This is a
documentation-only config change with no functional impact on existing
OG images as long as the app is not relying on unsigned, oversized query
strings.

**Impact:** configuration change only — no runtime logic modified.

Author: RedStar071

.env.example

@@ -22,6 +22,9 @@ NUXT_OAUTH_DISCORD_BOT_TOKEN=
 # You can use: openssl rand -base64 32
 NUXT_SESSION_PASSWORD=
 
+# Secret for generating OG images (generate a secure random string)
+# You can use: openssl rand -base64 32
+NUXT_IMAGE_PROXY_SECRET=
 # ===================================
 # Storage Configuration (Required)
 # ===================================

.github/workflows/continuous-integration.yml

@@ -115,12 +115,14 @@ jobs:
           VALIDATE_HTML: true
           NODE_OPTIONS: --max-old-space-size=4096
           NUXT_PUBLIC_SITE_URL: https://wolfstar.rocks
+          NUXT_IMAGE_PROXY_SECRET: ci-test-og-image-secret-at-least-32-characters-long
           NUXT_SESSION_PASSWORD: ci-test-session-password-at-least-32-characters-long
 
       - name: 🖥️ Test project (browser)
         run: vp run test:browser:prebuilt
         env:
           NUXT_SESSION_PASSWORD: ci-test-session-password-at-least-32-characters-long
+          NUXT_IMAGE_PROXY_SECRET: ci-test-og-image-secret-at-least-32-characters-long
 
   benchmark:
     name: ⚡ Benchmarks
@@ -162,13 +164,15 @@ jobs:
         run: vp run build:test
         env:
           NUXT_PUBLIC_SITE_URL: https://wolfstar.rocks
+          NUXT_IMAGE_PROXY_SECRET: ci-test-og-image-secret-at-least-32-characters-long
           NUXT_SESSION_PASSWORD: ci-test-session-password-at-least-32-characters-long
 
       - name: ♿ Accessibility audit (Lighthouse - ${{ matrix.mode }} mode)
         run: vp run test:a11y:prebuilt
         env:
           LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
           LIGHTHOUSE_COLOR_MODE: ${{ matrix.mode }}
+          NUXT_IMAGE_PROXY_SECRET: ci-test-og-image-secret-at-least-32-characters-long
           NUXT_SESSION_PASSWORD: ci-test-session-password-at-least-32-characters-long
 
   knip:

nuxt.config.ts

@@ -372,7 +372,11 @@ export default defineNuxtConfig({
 
 	ogImage: {
 		security: {
-			maxQueryParamSize: 2048,
+			strict: !!process.env.NUXT_IMAGE_PROXY_SECRET,
+			secret: process.env.NUXT_IMAGE_PROXY_SECRET,
+			// HMAC signing is sufficient; origin pinning blocks localhost e2e runs
+			// and adds no meaningful security on top of signed URLs.
+			restrictRuntimeImagesToOrigin: false,
 		},
 	},
 	// PWA configuration