search

bnomei / kirby3-security-headers

Kirby Plugin for easier Security Headers setup
https://forum.getkirby.com/t/kirby3-security-headers-best-practice-headers-nonce-csp-and-feature-policies/23583
MIT License
26 stars 2 forks source link

"nonce" question #23

Closed coolemur closed 3 years ago

coolemur commented 3 years ago

Hello there

This plugin automatically adds nonce to headers. Is it possible to disable nonce in headers using csp loader?

'nonce-' An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial. See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.

Looks like 'unsafe-inline' doesn't work when nonce are present in headers. So without disabling nonce in headers 'unsafe-inline' option is not usable.

I know it's not a good idea to enable unsafe-inline, but sometimes inline scripts are generated by third parties.

Thank you

bnomei commented 3 years ago

setting bnomei.securityheaders.seed to null or false in config should do the trick.

https://github.com/bnomei/kirby3-security-headers/blob/f8ccb293666e6b25451d81b45dea0801e8bdfe10/index.php#L8 https://github.com/bnomei/kirby3-security-headers/blob/f8ccb293666e6b25451d81b45dea0801e8bdfe10/classes/SecurityHeaders.php#L135