Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
CSP headers with a script-src nonce directive for Kirby
$csp_nonce = base64_encode(random_bytes(20));
$csp_header = "Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-" . $csp_nonce . "';";
// set `csp-nonce` so it's accessable
c::set('csp-nonce', $csp_nonce);
// set headers
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('strict-transport-security: max-age=31536000; includeSubdomains');
<script type="text/javascript" nonce="<?= c::get('csp-nonce') ?>">
console.log('Hello World!')

This comment has been minimized.

Copy link

@S1SYPHOS S1SYPHOS commented Feb 16, 2018

IMHO strict-transport-security should be Strict-Transport-Security, otherwise it may not get accepted (at least it didn't for me)


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment