httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Gruno <>
Subject Re: [users@httpd] CSP nonces in apache
Date Mon, 11 Sep 2017 10:02:30 GMT
On 09/11/2017 11:51 AM, Luis Speciale wrote:
> Le 11/09/2017 à 11:38, Mitchell Krog Photography a écrit :
>> As per the original article from Scott Helme that you intially
>> referred to, you will need to generate a random string yourself.
>> Something like this might help you in the right direction -
> I was trying to do this with %{UNIQUE_ID} and %{TIME}, but this
> variables works in the httpd config but they appear litterally in the
> content. I need an idea or a suggestion about how achieve this
> otherwise, and that's what I can't figure how.
> Thanks for the answer.

You could alternately use mod_lua as an output filter.

LuaOutputFilter fixupNonce /path/to/nonce.lua nonce
SetOutputFilter fixupNonce # or AddOutputFilterByType

and then in nonce.lua, you'd have:

function fixNonce(stype, str)
   if str:match("src=") then
      return ("<%s%s>"):format(stype, str)
      return ("<%s nonce-%s %s>"):format(stype, nid, str)

function nonce(r)
   -- make a random nonce ID for this session
   nid = r:sha1(math.random(1,99999999) .. r.useragent_ip)
    -- for each bucket, substitute script/style if internal
    while bucket do
          bucket = bucket:gsub("<(script)(%s*.-)>", fixNonce)
          bucket = bucket:gsub("<(style)(%s*.-)>", fixNonce)

> Luis
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message