Aónio
Reputation: 579
How to use nonce in CSP
I've been reading the CSP documentation regarding using inline scripts with nonce (Number used only once), but I still don't get it fully.
- May I use the same nonce to different inline scripts? That is, may I do this?
HTTP layer:
Content-Security-Policy: script-src 'nonce-2726c7f26c'
Javascript inlined in HTML
<script nonce="2726c7f26c">
var inline = 1;
</script>
<script nonce="2726c7f26c">
var inline2 = 2;
</script>
- can you recommend me any node.js function to generate such nonces? Shall I use the
require('crypto')?
Upvotes: 13
Views: 8554
Answers (1)
Aónio
Reputation: 579
My solution was correct
We create one nonce per HTTP request, we should not create one per script. So, my initial solution was correct. The CSP rules go into the HTTP layer, and thus one nonce per HTTP request.
Upvotes: 24
Related Questions
- Helmet and contentSecurityPolicy and using nonce AND adding it but still getting error
- how to implement content security policy NONCE in html script tags with node and helmet
- Content Security Policy multiple nonce
- How to generate a nonce in node.js?
- Why is my nonce being ignored in node.js?
- CSP with nonce under node.js application - Refused to apply inline style/script
- What is the right procedure to set a nonce in the csp policy?
- How to use nonce in IIS for content security policy?
- Use CSP nonce without server side rendering (cookie)
- CSP header not detected