Nuxt Auto CRUD Template

Field Privacy & Protection

Technical specification for protected (read-only) and hidden (server-side only) fields within the nuxt-auto-crud engine.

This guide defines the security boundaries for database fields. Agents and clients are restricted from writing to protected fields and reading from hidden fields, ensuring data integrity and security.

The nuxt-auto-crud engine enforces strict security boundaries by automatically filtering fields during CRUD operations.

๐Ÿ›ก๏ธ Protected Fields (Write-Only)

Protected fields are system-managed and cannot be updated via the generic CRUD endpoints. The engine automatically strips these from incoming payloads.

Default Protected Fields:

  • Primary Keys: id
  • Timestamps: createdAt, updatedAt, deletedAt, created_at, updated_at, deleted_at
  • Audit Trails: createdBy, updatedBy, deletedBy, created_by, updated_by, deleted_by

๐Ÿ”’ Hidden Fields (Read-Prevention)

Hidden fields are stripped from all API responses (both GET list and GET single) to prevent sensitive data leakage.

Default Hidden Fields:

  • Authentication: password, resetToken, githubId, googleId (and snake_case variants)
  • Security: secret, token
  • System Leakage: deletedAt, createdBy, updatedBy, etc.

๐Ÿ›  Customization

Custom field sets can be defined per-model within the modelMapper.ts utility using customUpdatableFields and customHiddenFields.

Resource Policy & Visibility

Defining serialization boundaries and API visibility for resources.

Backend-only App

Configure Nuxt Auto CRUD for backend-only mode (API Mode).