Nonce and Hash ?

  • Resolved john53

    (@john53)


    5 years, 4 months ago

    HI

    Thanks for the great plugin.

    I have the content security policy set up and have been using csp validation sites in order to get feedback on what I need to do to get the policy right.

    object-src and base-uri show up as being correct but for script-src it suggests I use strict dynamic combined with either nonce or hash

    I can see there is an option in the script-src section for strict dynamic but there aren’t any options for nonce or hash

    Could you please let me know how to use nonce and hash?

    Thank you

    Best regards

    John

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    @john53

    Why not just mark the “strict-dynamic” checkbox, and use the text box below to enter a nonce like this:

    'nonce-R9Li1vVh76uPF7EJke+HkA=='

    This will results in the following header:

    Header set Content-Security-Policy "script-src 'strict-dynamic' 'nonce-R9Li1vVh76uPF7EJke+HkA=='"

    Then load your scripts like this:
    <script nonce="R9Li1vVh76uPF7EJke+HkA==" src="color.js">

    Thread Starter john53

    (@john53)

    Hi Dimitar

    Thank you very much for your help.

    I tried your suggestion and it passed the CSP evaluator with flying colours.

    Unfortunately it seems to prevent images from loading on my website and I noticed the Autoptimize plugin wont allow me to clear cache anymore.

    Is there another option I could try that might work better for my website?

    Thank you

    Best regards

    John

    Thread Starter john53

    (@john53)

    Hi Dimitar

    Managed to get images loading now by using self and hash (‘sha256-ZoLPmUE984t1ctLy65xUnzPSpSzqqcao/3I8AjOTgNw=’)

    I still cant get Autoptimize “delete cache” to work.

    Could you please point me in the right direction of things to try out in order to solve this?

    Thank you

    Best regards

    John

    Plugin Author Dimitar Ivanov

    (@zinoui)

    I really don’t know what’s the issue with the plugin you’re mentioned above.

    Did you still get errors in DevTools console? If yes, which exactly.

    Thread Starter john53

    (@john53)

    Hi

    No there were no errors showing.

    Ive managed to get everything working by relaxing some of the rules a bit.

    Although i doesnt give me 100% security it will still be a lot better than it was.

    Thank you for all your help

    Best regards

    John

    Plugin Author Dimitar Ivanov

    (@zinoui)

    You’re welcome.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Nonce and Hash ?’ is closed to new replies.

Tags