We are in the process of updating the Content Security Policy (CSP) for one of our application modules to enhance security and remove the use of 'unsafe-inline' from the script-src directive.
To ensure compliance with CSP standards while maintaining functionality, we are looking to implement a standardized approach for using nonces with script tags. Specifically, we are seeking guidance on the following:
Our current CSP configuration is as follows:
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; font-src 'self'; frame-src 'self';
We aim to replace 'unsafe-inline' in script-src with a nonce-based approach to align with modern security best practices.
Any documentation, examples, or implementation recommendations would be greatly appreciated.
To ensure compliance with CSP standards while maintaining functionality, we are looking to implement a standardized approach for using nonces with script tags. Specifically, we are seeking guidance on the following:
- Secure Nonce Generation
What is the recommended method for securely generating a nonce value on the server side? - Passing Nonce to the Frontend
What is the standard mechanism in SmartGWT for passing the generated nonce from the backend to the frontend (e.g., via HTTP headers, embedded in the page, etc.)? - Applying Nonce to Script Tags
What is the preferred way to attach the nonce to both static and dynamically injected <script> tags within a SmartGWT application?
Our current CSP configuration is as follows:
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; font-src 'self'; frame-src 'self';
We aim to replace 'unsafe-inline' in script-src with a nonce-based approach to align with modern security best practices.
Any documentation, examples, or implementation recommendations would be greatly appreciated.
Comment