CSP docs: recommend a 256-bit nonce

This change should have no code impact. We previously used a 128-bit nonce. This was probably fine, but more entropy should further protect folks.
helmetjs · Dec 4, 2023 · 1972319 · 1972319
1 parent 9d93280
commit 1972319
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -103,10 +103,10 @@ app.use(
 
 ```js
 // Sets the `script-src` directive to
-// "'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'"
+// "'self' 'nonce-e33cc...'"
 // (or similar)
 app.use((req, res, next) => {
-  res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
+  res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
   next();
 });
 app.use(

diff --git a/middlewares/content-security-policy/README.md b/middlewares/content-security-policy/README.md
@@ -58,7 +58,7 @@ const crypto = require("crypto");
 const contentSecurityPolicy = require("helmet-csp");
 
 app.use((req, res, next) => {
-  res.locals.nonce = crypto.randomBytes(16).toString("hex");
+  res.locals.nonce = crypto.randomBytes(32).toString("hex");
   next();
 });