Content Security Policy nonce: backend vs reverse proxy

1
votes

I'm trying to understand how Content Security Policy nonce mechanism works in a scenario where the CSP header tag is set by Apache HTTPD acting as reverse proxy and not by the application server itself.

Since the nonce is random and the application inserts it into the script tag, I can only see the way where the response provided by the application (the backend part) contains the CSP header with the random nonce.

If the CSP header is set by Apache HTTPD (which is btw another server, not the backend server), i cannot se how Apache con now the random nonce, synchronizing it with the nonce generated by the backend.

https://content-security-policy.com/nonce/

1
apachecontent-security-policynonce
You have to find a way to sync these two, either passing down the nonce for a request from the proxy down to the backend, so it can be inserted in all tags, or alternatively read the nonce value added by the backend upstream in the proxy before adding it to the headers.eltuza

1 Answers

1
votes

You need to generate the nonce on the server, and then have Apache pass that nonce to your script where it can be used.

We've created an open source module for Apache that simplifies this process: mod_cspnonce.

Here's a simple example of the server-side config:

LoadModule headers_module modules/mod_headers.so
LoadModule cspnonce_module modules/mod_cspnonce.so

# add the CSP_NONCE to the "default-src"
Header add Content-Security-Policy "default-src 'self' 'nonce-%{CSP_NONCE}e';"

Here's a simple example of using the nonce in your script:

<script nonce="<?= $_SERVER['CSP_NONCE'] ?>">
  var inline = 1;
</script>