Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to use nonce in CSP

I've been reading the CSP documentation regarding using inline scripts with nonce (Number used only once), but I still don't get it fully.

  • May I use the same nonce to different inline scripts? That is, may I do this?

HTTP layer:

Content-Security-Policy: script-src 'nonce-2726c7f26c'

Javascript inlined in HTML

<script nonce="2726c7f26c">
  var inline = 1;
</script>
<script nonce="2726c7f26c">
  var inline2 = 2;
</script>
  • can you recommend me any node.js function to generate such nonces? Shall I use the require('crypto')?
like image 752
Aónio Avatar asked Apr 24 '18 09:04

Aónio


1 Answers

My solution was correct

We create one nonce per HTTP request, we should not create one per script. So, my initial solution was correct. The CSP rules go into the HTTP layer, and thus one nonce per HTTP request.

like image 157
Aónio Avatar answered Sep 18 '22 06:09

Aónio