2 comments

[ 2.9 ms ] story [ 8.3 ms ] thread
Static CSP headers are pretty cool, but they also support nonces, which look like this:

  // In the header:
  'nonce-+2K9dA2eE3a/C16nYmoBr6Dj'
  // In the HTML:
  <script nonce="+2K9dA2eE3a/C16nYmoBr6Dj">/* your code here */</script>
CSP nonces are useful for having dynamically generated Javascript without allowing unsafe-inline.

Check out CSP-Builder if you want a simple interface for adding them to your project: https://github.com/paragonie/csp-builder

  <?php
  use \ParagonIE\CSPBuilder\CSPBuilder;
  
  $csp = CSPBuilder::fromFile('/path/to/source.json');
  ?>
  <!-- snip -->
  <script nonce=<?php echo $csp->nonce('script-src'); ?>>