Hello; I wanted to have CSP nonces in apache. Something like this in NGINX https://scotthelme.co.uk/csp-nonce-support-in-nginx/The idea is to generate a number, put this number in the CSP nonce (the header) and then replicate this number in every inline script.
So in my httpd-vhosts.conf I did this
Define numbnonce %{UNIQUE_ID}e
SubstituteInheritBefore on
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|(<script)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Substitute "s|(<style)((?:(?!src=).)*?>)|$1 nonce-$numbnonce$2|i"
Header set Content-Security-Policy "default-src 'self'; connect-src
'self' ; script-src 'self' 'nonce-${numbnonce}'; style-src 'self'
'nonce-${numbnonce}';"
The variable appears in the headers ('nonce-WbGA@8CoABAAADceEfUAAAAP')
but it doesn't in the substitution (<script nonce-$numbnonce="">) and I
can't see why because I'm not skilled enough.
Thanks for reding me and thanks in advance for any ideas or suggestions. Luis --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|