I'm trying to use a secure nonce to allow some inline code through a CSP. However, this doesn't work when combined with fastcgi_cache as the nonce value used in the web page is cached, but the nonce value output in the header is created anew.
The server config looks something like this:
fastcgi_param CSP_NONCE $nonce;
more_set_headers "Content-Security-Policy: style-src 'nonce-$nonce';";
location = / {
set_secure_random_alphanum $nonce 10;
fastcgi_pass php;
}
The result is that a nonce is generated and inserted into the CSP header and passed to PHP which inserts it into the HTML. But, as mentioned, when using fastcgi_cache, the header/nonce is not cached along with the page.
I'm trying to use a secure nonce to allow some inline code through a CSP. However, this doesn't work when combined with fastcgi_cache as the nonce value used in the web page is cached, but the nonce value output in the header is created anew.
The server config looks something like this:
The result is that a nonce is generated and inserted into the CSP header and passed to PHP which inserts it into the HTML. But, as mentioned, when using fastcgi_cache, the header/nonce is not cached along with the page.