Tags: josephmarino/portfolio
Tags
Nonce attribute added to javascript blocks to comply with CSP I added a nonce attribute to all javascript blocks to comply with a CSP that I set for my site, josephmarino.net. I used Google's CSP evaluator as a starting point for building a CSP. I implemented a CSP to learn about how CSP's work and to help mitigate against cross-site scripting (XSS) attacks. When a page loads a nonce is generated by PHP using the GenerateNonce() function in portfolio.class. The nonce is one-time use strong cryptographic string that is generated using the one of PHP's CSPRNG functions, random_bytes(). After the nonce is generated, it is base64 encoded using PHP's base64_encode() function. An alternative method to using PHP to generate a nonce is to generate a nonce using the set_secure_random_alphanum directive in OpenResty's set_misc_module for NGINX. In that type of setup, when a page with a javascript block that contains a nonce attribute such as "INSERT_NONCE" is processed by NGINX, the sub_filter directive in NGINX's http_sub_module would replace the "INSERT_NONCE" string in the nonce attribute with a nonce generated by OpenResty's set_secure_random_alphanum directive. I chose to generate the nonce using PHP's random_bytes function because it is a simple and secure way to generate a nonce. At the time of writing this msg, the CSP for this portfolio is: script-src 'strict-dynamic' 'nonce-$generated_nonce'; object-src 'none'; base-uri 'none'; default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self'; form-action 'self'; worker-src 'self'; The above CSP for josephmarino.net is implemented as a "Content-Security-Policy" HTTP header.