Static Nonce Identified in Content Security Policy (CSP)
Description
The application's Content Security Policy (CSP) uses a static (hardcoded) nonce value instead of generating a unique nonce for each request. CSP nonces are designed to be cryptographically random, single-use tokens that prevent attackers from executing unauthorized scripts. When the same nonce is reused across multiple requests, it defeats the security mechanism and allows attackers who discover the nonce to bypass CSP protections.
Remediation
Generate a unique, cryptographically random nonce value for each HTTP response and include it in both the CSP header and any inline scripts or styles that need to execute. The nonce should be at least 128 bits of random data, base64-encoded, and never reused across requests.
Example server-side implementation (Node.js/Express):
const crypto = require('crypto');
app.use((req, res, next) => {
// Generate unique nonce for this request
const nonce = crypto.randomBytes(16).toString('base64');
res.locals.nonce = nonce;
// Set CSP header with the nonce
res.setHeader(
'Content-Security-Policy',
`script-src 'nonce-${nonce}' 'strict-dynamic'; object-src 'none'; base-uri 'none';`
);
next();
});Then reference the nonce in your HTML templates:
<script nonce="{{nonce}}">
// Your inline script here
</script>Ensure that the nonce generation occurs on the server side for each request and is never cached or hardcoded in your application code or configuration files.