Running inline scripts and styles with Nonces

Running inline scripts

This page is running inline script and styles.

Here the script runs and the styles are applied with nonces.

Nonce = Number used just once.

Using a nonce in the CSP header

This time the CSP header contains a nonce value:

Content-Security-Policy: ... script-src 'self' 'nonce-KQhGGL34bswLhxppyZeOIR61bxc8dYWdFBUs/VnEWHU='

And so does the <script> tag:

<script nonce="KQhGGL34bswLhxppyZeOIR61bxc8dYWdFBUs/VnEWHU=">alert('Use the Nonce!');</script>

Of course every request contains a unique nonce, so you need server-side logic to embed the nonce.

© 2017 - Peter Himschoot