Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
CSP headers with a script-src nonce directive for Kirby
$csp_nonce = base64_encode(random_bytes(20));
$csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-" . $csp_nonce . "';";
// set `csp-nonce` so it's accessable
c::set('csp-nonce', $csp_nonce);
// set headers
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('strict-transport-security: max-age=31536000; includeSubdomains');
<script type="text/javascript" nonce="<?= c::get('csp-nonce') ?>">
console.log('Hello World!')

This comment has been minimized.

Copy link

S1SYPHOS commented Feb 16, 2018

IMHO strict-transport-security should be Strict-Transport-Security, otherwise it may not get accepted (at least it didn't for me)


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.