Weak Nonce Detected in Content Security Policy (CSP) Declaration
Description
The Content Security Policy (CSP) implementation uses a weak or predictable nonce value in one or more directives. CSP nonces are designed to be cryptographically random, single-use tokens that allow specific inline scripts or styles to execute while blocking others. When nonces are weak, static, or reused across requests, they fail to provide meaningful security protection and can be easily bypassed by attackers.
Remediation
Implement strong, cryptographically random nonces that are generated uniquely for each HTTP response. Follow these steps to remediate:
1. Generate Cryptographically Random Nonces: Use a secure random number generator to create a unique nonce value for every page load. The nonce should be at least 128 bits (16 bytes) of random data, base64-encoded.
Example (Node.js):
const crypto = require('crypto');
const nonce = crypto.randomBytes(16).toString('base64');Example (PHP):
$nonce = base64_encode(random_bytes(16));
2. Include the Nonce in CSP Header: Add the generated nonce to your Content-Security-Policy header.
Content-Security-Policy: script-src 'nonce-GENERATED_NONCE_HERE'
3. Apply Nonce to Inline Scripts/Styles: Add the same nonce value to the nonce attribute of inline script or style tags.
<script nonce="GENERATED_NONCE_HERE"> // Your inline script </script>
4. Never Reuse Nonces: Ensure each response generates a fresh nonce value. Never use static, hardcoded, or predictable nonce values.
5. Verify Implementation: Test that different page loads produce different nonce values and that inline scripts without the correct nonce are blocked by the browser.