Web Experience Platforms
Prevent XSS Attacks with a Nonce in the Content Security Policy
Tuesday, January 12, 2021
Layer One - Development Manager - Phil Busch
An example of a script-src with a nonce set looks as follows:
A corresponding script tag in the markup would look like this:
The key to a successful usage of a nonce in the script-src is that the nonce value is unique for every visit to your site. There must be functionality in place that generates a unique value every page load. Furthermore, this functionality must dynamically alter the script-src directive and all scripts in the markup to have this nonce value as well.
This nonce uniqueness requirement makes the solution well suited for the Digital Experience Platforms we help our clients utilize. This is not the type of functionality that can be set in static markup once and forgotten about. There must be technology in place to ensure that the nonce is applied to both the script tags in the functionality in use today, as well as future functionality that does not exist yet.
We have an accelerator that we have developed here at Layer One for our clients on Sitecore that helps put this functionality in place rapidly. It also solves other problems around the management of the Content Security Policy directives. I will be talking about that more in a blog post coming this Friday - stay tuned!