httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Speciale <>
Subject [users@httpd] CSP nonces in apache
Date Thu, 07 Sep 2017 17:46:14 GMT

I wanted to have CSP nonces in apache. Something like this in NGINX
The idea is to generate a number, put this number in the CSP nonce (the 
header) and then replicate this number in every inline script.

So in my httpd-vhosts.conf I did this

Define numbnonce %{UNIQUE_ID}e
SubstituteInheritBefore on
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Header set Content-Security-Policy "default-src 'self'; connect-src 
'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self' 

The variable appears in the headers  ('nonce-WbGA@8CoABAAADceEfUAAAAP')
but it doesn't in the substitution (<script nonce-$numbnonce="">) and I 
can't see why because I'm not skilled enough.

Thanks for reding me and thanks in advance for any ideas or suggestions.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message