Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Generate a nonce with Apache 2.4 (for a Content Security Policy header)

Tags:

security

apache

content-security-policy

We're working on creating a strict Content Security Policy (https://csp.withgoogle.com/docs/strict-csp.html) which necessitates Apache creating a nonce each time a resource is requested, so that we can insert this nonce into the http header.

How can we create a nonce with Apache 2.4?

All of the CSP related documentation I've read says something to the effect of "A nonce is just a random string that's generated on the server, included in the CSP header..." but haven't found any info on how to do this with Apache. We could of course do this with app code, but doing it via Apache seems like a cleaner solution/will ensure every single page gets the CSP header.

like image 785
KayakinKoder Avatar asked May 13 '17 01:05

KayakinKoder

People also ask

What is nonce in Content-Security-Policy?

A nonce is a random number used only once per page load. A nonce-based CSP can only mitigate XSS if the nonce value is not guessable by an attacker. A nonce for CSP needs to be: A cryptographically strong random value (ideally 128+ bits in length)

How do I add Content-Security-Policy header?

To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.

What is Content-Security-Policy header?

What is Content-Security-Policy? Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

1 Answers

I would have preferred to simply add this as a comment but my reputation <50 does not allow it so I'm posting this as an answer instead.

In response to:

1.) apache generates a random string via mod_unique_id

This is a "unique" value not a "random" value, so you might want to be careful with its use as a CSP nonce.

2.) we insert this into our CSP header (not sure how to do this actually)

<IfModule mod_headers.c>
    <FilesMatch "\.(htm|html|php)$">
        Content-Security-Policy: script-src 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' 'unsafe-inline' ' https:;
    </FilesMatch>
</IfModule>

I hope this helps.

like image 182
user3526609 Avatar answered Sep 20 '22 15:09

user3526609
Sign in to Comment

Related questions

SVG images not displaying on certain web servers
no such file to load -- bundler/setup
Rewrite all URLs except one
.htaccess is ignored when using an aliased URI
Django virtual host setup. Apache mod_wsgi
How to split existing apache logfile by month?
Deploy Django with Gunicorn and APACHE
Apache URL Re-writing not functioning properly
Configure htaccess to serve static django files
Apache Clean-Urls with MultiViews enabled
Node.js http response end event?
How to get properly encoded apache error.log with tailf?
PHP/Apache Error:406 Not Acceptable
LAMP stack's PHP not working (Ubuntu 13.10 / Apache 2.4.6)
What is the recommended max value for Max Connections Per Child in Apache configuration?
How to call a function when Apache terminates a Flask process?
Apache HTTP Server: How to restrict access to directory listings to some ip ranges?
How to get apache to serve static files on Flask webapp
SSLCertificateChainFile is obsolete
How do servers set HTTP response headers?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!