0

I have http_sub_module installed, but the 'sub_filter' line is not working. I'm trying to use it for a dynamic nonce for CSP as per these instructions, replacing some text in script tags with the variable set in a conf file. The nonce is showing up in the CSP header, but not in the script tag, it just shows the text that needs to be replaced. I have gzip on and added the proxy_set_header Accept-Encoding ""; line. Could this be a permissions/ownership issue regarding the PHP files and/or website directories?

The server block has this configuration in it:

proxy_set_header Accept-Encoding "";
set_secure_random_alphanum $HTcspNonce 32;
sub_filter_once off;
sub_filter_types *;
sub_filter **CSP_NONCE** $HTcspNonce;

The scripts have nonce="**CSP_NONCE**" in the <script> tag.

Thanks for any help!

Improve this question

1 Answer 1

Reset to default
0

Turns out, I had zlib.output_compression = On in php.ini, which was interfering. It's not needed, since I have gzip on in nginx.

Improve this answer
1
  • i agreee with this, if you use compression, you should decide to use only one of them, had this in the past, dont forget to accept your answer if possible
    – djdomi
    Dec 1 at 15:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .