Content Security Policy (CSP) Nonce Without Matching Script Block
Description
The Content Security Policy (CSP) for this application includes a nonce value in the policy directive, but no corresponding script or style blocks use this nonce for validation. This represents a misconfiguration where the CSP is prepared to validate inline scripts or styles using a nonce-based approach, but the implementation is incomplete or the nonce has been removed from the HTML elements that should reference it.
Remediation
Review and correct the Content Security Policy implementation using one of the following approaches:
Option 1 - Remove Unused Nonce (if nonce-based validation is not needed):
Remove the nonce value from the CSP directive if inline scripts/styles are not being used or if you are using other CSP mechanisms.
Before: script-src 'nonce-abc123' 'self'; After: script-src 'self';
Option 2 - Apply Nonce to Inline Scripts/Styles (if nonce-based validation is intended):
Add the nonce attribute to all inline script and style blocks that should be validated by CSP.
<!-- CSP Header: script-src 'nonce-abc123' 'self'; -->
<script nonce="abc123">
// Your inline JavaScript code
console.log('This script is validated by CSP');
</script>Best Practices:
- Ensure nonce values are cryptographically random and unique per page load
- Generate nonces server-side and never reuse them across requests
- Verify that all intended inline scripts and styles include the matching nonce attribute
- Test the CSP in browser developer tools to confirm proper functionality