Content Security Policy to secure your website (and more) (blog.dareboost.com) 16 points by dareboost 9y ago ↗ HN
[–] CiPHPerCoder 9y ago ↗ Static CSP headers are pretty cool, but they also support nonces, which look like this: // In the header: 'nonce-+2K9dA2eE3a/C16nYmoBr6Dj' // In the HTML: <script nonce="+2K9dA2eE3a/C16nYmoBr6Dj">/* your code here */</script> CSP nonces are useful for having dynamically generated Javascript without allowing unsafe-inline.Check out CSP-Builder if you want a simple interface for adding them to your project: https://github.com/paragonie/csp-builder <?php use \ParagonIE\CSPBuilder\CSPBuilder; $csp = CSPBuilder::fromFile('/path/to/source.json'); ?> <!-- snip --> <script nonce=<?php echo $csp->nonce('script-src'); ?>> [–] dareboost 9y ago ↗ Yes I mentionned it in the second part http://blog.dareboost.com/fr/2016/08/comment-implementer-con... but without any details. Still, it only available with CSP level 2.
[–] dareboost 9y ago ↗ Yes I mentionned it in the second part http://blog.dareboost.com/fr/2016/08/comment-implementer-con... but without any details. Still, it only available with CSP level 2.
2 comments
[ 2.9 ms ] story [ 8.3 ms ] threadCheck out CSP-Builder if you want a simple interface for adding them to your project: https://github.com/paragonie/csp-builder