1

I want to add the following CSP directive in APACHE because I want it to be applied on every page.

<IfModule mod_headers.c>
    <FilesMatch "\.(htm|html|php)$">
        Content-Security-Policy: script-src 'strict-dynamic' 'nonce-{random}' 'unsafe-inline' ' https:;
    </FilesMatch>
</IfModule>

I'd like to generate the {random} value directly in APACHE as well (if possible).

Is it possible to generate and insert it directly in the APACHE CSP directive? Or is this a bad idea, should I be generate and insert at the application layer instead (PHP)?

NOTE: I did find this which Generate a nonce with Apache 2.4 (for a Content Security Policy header) looked promising but I'm not sure if the $_SERVER[UNIQUE_ID] is actually a random enough value.

Improve this question

3 Answers 3

Reset to default
2

The nonce you set up in your CSP header has to be the same you use with your script tag. That's why it is typically set at the application level, where the save value can be used in the HTTP header and in your HTML. If you set it at the Apache level, how do you use it in your application?

Improve this answer
1
  • 2
    As an example, you could do this is Apache: <IfModule mod_headers.c> <FilesMatch "\.(htm|html|php)$"> Content-Security-Policy: script-src 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' 'unsafe-inline' ' https:; </FilesMatch> </IfModule> And then use the variable $_SERVER['UNIQUE_ID'] in your PHP code.
    – user3526609
    Aug 28, 2018 at 1:47
2

@user3526609 gets credit for this wonderful solution, but I wanted to summarize it to make it clear for any others out there like me who hunted everywhere for this and found it buried in a comment.

In short, this is how to create a CSP nonce in an .htaccess file rather than in a web application, but still be able to utilize it in the web application.

You can “generate” a nonce with Apache by reusing the Unique ID it creates for every request. Create the Content Security Policy header as follows (lots of other important bits excluded for brevity):

Header always set Content-Security-Policy "\
  default-src 'self'; \
  script-src 'self' 'nonce-%{UNIQUE_ID}e';"

Note that the backslash breaks a command into nicely readable lines which will be removed by Apache later.

This creates something like the following:

'nonce-STRINGofRANDOMcharacters'

And PHP can access it as follows:

$_SERVER['UNIQUE_ID']

Example in a web page:

<script 
  src="https://www.google.com/recaptcha/api.js?render=your-site-key"
  nonce="<?php echo $_SERVER['UNIQUE_ID']; ?>">
</script>
Improve this answer
1

In Apache you must have module called mod_unique_id enabled. He generates a unique environment variable (UNIQUE_ID). However, its encoding has illegal characters for csp [A-Za-z0-9@-] instead of the usual base64 [A-Za-z0-9+/].

You must use base64 encoding to generate proper values. This only works if Apache is > 2.4 and higher. For example:

Header set X-Nonce "expr=%{base64:%{reqenv:UNIQUE_ID}}"

Or to generate complete CSP policy do:

Header set Content-Security-Policy "expr=default-src 'self'; script-src 'self' 'nonce-%{base64:%{reqenv:UNIQUE_ID}}'"

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .