From 197231975a8a1b28cf3ff813228be0b98295c664 Mon Sep 17 00:00:00 2001
From: Evan Hahn <me@evanhahn.com>
Date: Sun, 3 Dec 2023 19:21:27 -0600
Subject: [PATCH] CSP docs: recommend a 256-bit nonce

This change should have no code impact.

We previously used a 128-bit nonce. This was probably fine, but more
entropy should further protect folks.
---
 README.md                                     | 4 ++--
 middlewares/content-security-policy/README.md | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ea4a67a..f585ac8 100644
--- a/README.md
+++ b/README.md
@@ -103,10 +103,10 @@ app.use(
 
 ```js
 // Sets the `script-src` directive to
-// "'self' 'nonce-e33ccde670f149c1789b1e1e113b0916'"
+// "'self' 'nonce-e33cc...'"
 // (or similar)
 app.use((req, res, next) => {
-  res.locals.cspNonce = crypto.randomBytes(16).toString("hex");
+  res.locals.cspNonce = crypto.randomBytes(32).toString("hex");
   next();
 });
 app.use(
diff --git a/middlewares/content-security-policy/README.md b/middlewares/content-security-policy/README.md
index b66178c..c1fc215 100644
--- a/middlewares/content-security-policy/README.md
+++ b/middlewares/content-security-policy/README.md
@@ -58,7 +58,7 @@ const crypto = require("crypto");
 const contentSecurityPolicy = require("helmet-csp");
 
 app.use((req, res, next) => {
-  res.locals.nonce = crypto.randomBytes(16).toString("hex");
+  res.locals.nonce = crypto.randomBytes(32).toString("hex");
   next();
 });