Nonce Usage Detected in Content Security Policy (CSP) Directive
Description
This informational alert indicates that the application's Content Security Policy (CSP) uses nonce-based directives to control script or style execution. While nonces are a valid and recommended CSP implementation method, this detection serves to document their usage and highlight potential configuration issues or compatibility concerns that may affect security effectiveness. The scanner has analyzed the CSP configuration to identify any misconfigurations or unintended side-effects that could weaken the intended security posture.
Remediation
Review the CSP configuration details provided in the alert findings to identify any specific issues or recommendations. Ensure that nonces are properly implemented by following these best practices:
1. Generate cryptographically random nonce values for each HTTP response using a secure random number generator
2. Never reuse nonce values across different requests or page loads
3. Ensure nonce values are sufficiently long (at least 128 bits of entropy recommended)
4. Apply the same nonce value to both the CSP header/meta tag and the corresponding script/style tags
5. Disable caching for pages that use nonce-based CSP or implement dynamic nonce injection
6. Consider using 'strict-dynamic' alongside nonces to simplify CSP management for dynamically loaded scripts
Example of proper nonce implementation:
HTTP Response Header: Content-Security-Policy: script-src 'nonce-r4nd0m1z3dv4lu3h3r3' HTML: <script nonce="r4nd0m1z3dv4lu3h3r3"> // Your trusted script code </script>
Address any specific remediation advice provided in the alert details for your particular CSP configuration.