httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Speciale <>
Subject Re: [users@httpd] CSP nonces in apache (SOLVED)
Date Mon, 11 Sep 2017 18:40:44 GMT
Le 11/09/2017 à 17:12, Daniel Gruno a écrit :

For those who wont to accept inline scripts and styles with a nonce 
according to the CSP directives.

You must reinstall your apache server with lua support.
In my Mac I had installed httpd2.4 with brew

and add

In the args section and save it

args = %W[
Then stop and reinstall apache

	sudo apachectl stop
	brew reinstall httpd24

Edit httpd.conf and add mod_lua

	LoadModule lua_module libexec/

Add this two lines in your httpd-vhosts.conf
	LuaOutputFilter fixupNonce /usr/local/var/www/nonce.lua nonce
	SetOutputFilter fixupNonce

Put this text in /usr/local/var/www/nonce.lua

-- Thanks to Daniel Gruno who did… almost everything!
function fixNonce(stype, str)
	-- If it has a source, it's not inline
	if str:match("src=") then
		return ("<%s%s>"):format(stype, str)
	-- If not, we add the nonce
		return ("<%s nonce-%s %s>"):format(stype, nid, str)
function nonce(r)
	-- Make a random nonce ID for this session
	nid = r:sha1(math.random(1,999999999)..r.useragent_ip)
	-- Set the CSP headers here instead of httpd.config and give the var 
nid to nonce-
	r.err_headers_out['X-Content-Security-Policy'] = "default-src 'self'; 
connect-src 'self' ; script-src 'self' 'nonce-"..nid.."'; style-src 
'self' 'nonce-"..nid.."' font-src 'self'; frame-ancestors 'self'; 
object-src 'none'; sandbox allow-forms allow-same-origin allow-scripts 
allow-popups allow-modals allow-orientation-lock allow-pointer-lock 
allow-presentation allow-popups-to-escape-sandbox; base-uri 
'self';report-uri / https://••••••YOURSITE••••••••/CSP_URI.php"
	-- For each bucket, substitute script/style if inline
	while bucket do	
		bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
		bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)

And start apache.

Test it with

<!doctype html>
<html class="no-js" lang="en">
	<meta charset="utf-8">
	<meta name="description" content="fait des sites avec SPIP">
	console.log("It Works!");
	h5 {color:#900;}

You should have a red h5 and a console.log that confirms It works!

Et voilà!

Thanks again Daniel!


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message