Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set_secure_random_alphanum doesn't work well with fastcgi_cache #42

Open
Dreamsorcerer opened this issue Aug 26, 2018 · 0 comments
Open

set_secure_random_alphanum doesn't work well with fastcgi_cache #42

Dreamsorcerer opened this issue Aug 26, 2018 · 0 comments

Comments

@Dreamsorcerer
Copy link

I'm trying to use a secure nonce to allow some inline code through a CSP. However, this doesn't work when combined with fastcgi_cache as the nonce value used in the web page is cached, but the nonce value output in the header is created anew.

The server config looks something like this:

	fastcgi_param CSP_NONCE $nonce;
	more_set_headers "Content-Security-Policy: style-src 'nonce-$nonce';";

	location = / {
		set_secure_random_alphanum $nonce 10;
		fastcgi_pass php;
	}

The result is that a nonce is generated and inserted into the CSP header and passed to PHP which inserts it into the HTML. But, as mentioned, when using fastcgi_cache, the header/nonce is not cached along with the page.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Dreamsorcerer