mod_cspnonce: Apache does not recognize %{CSP_NONCE}Answered

Elias

Here's my config:

<IfModule headers_module>
Header set Content-Security-Policy “default-src 'self'; img-src 'self' https: data:; script-src 'nonce-%{CSP_NONCE}' 'unsafe-eval'; style-src 'nonce-%{CSP_NONCE}'; style-src-attr 'unsafe-inline'; style-src-elem 'self';”
</IfModule>

I get a syntax error from Apache. It doesn't like the % sign.

I also tried with $ instead of %. No syntax error, but ${CSP_NONCE} is not replaced by a nonce.

Sep 21permalink

Answer

Wyatt O'Day

Covered here : https://github.com/wyday/mod_cspnonce#server-config

Sep 22permalink

LimeLM
Overview Pricing & Sign up Why LimeLM? Tour Log in Help
wyBuild
Overview Pricing & Buy Features What's new Help
Support forum
wyDay blog
wyDay Home
Downloads Buy Contact us Careers

Guest name
Youʼre not logged-in, but you can still post as a guest.

Email