Add nonce value to Content Security Policy Headers? | Community
Skip to main content
J
jorganer
Level 2
July 26, 2024
Solved

Add nonce value to Content Security Policy Headers?

  • July 26, 2024
  • 3 replies
  • 2775 views

Hello everyone.

We are working on AEM as a cloud services

 

We are trying to add nonce attribute in Content-Security-Police header.

We have been looking at different solutions, but none satisfactory.

We started thinking about making a filter in the aem application server to read the header, add a random number and put it in the <script nonce-xxxxx> tags, we discarded this option because the portal has cache.
We have found several articles indicating how to perform this functionality in the (apache web server) dispatcher.

We activate in our virtual host the include, to activate the SSI and thus replace the variable set in dispatcher in the pages.

Header set Content-Security-Policy “script-src ... 'nonce-%{UNIQUE_ID}e'; ...”
<script nonce=“<!--#echo var=UNIQUE_ID -->”>...</script>

The UNIQUE_ID variable is not strictly base64 encoded. CSP requires a nonce to be base64 encoded, you can solve this by using Apache expressions but it starts to get complicated.

A better approach is to use a specially created module, such as mod_cspnonce. It also provides an environment variable, in this case called CSP_NONCE.

We have tried in dispatcher and the variable returns null, we think this module is not available in dispatcher, is it possible to enable this module in dispatcher?

I don't know if we could have problems with Fastly CDN.

Or you can think of another solution.

 

Best Regards.

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Pradeep_Kumar_Srivastav

Hi @jorganer , Have you considered a Custom AEM Filter, there will be of course some trade-off that needs to be considered. Despite your initial concerns about caching, a custom AEM filter could be a viable option. You could generate a nonce, store it in a session or request attribute, and inject it into the response. While caching might be a challenge, it could be done through cache invalidation strategies or by using a unique nonce per user session. Something like below.

// Nonce Sling Filter in AEM
@Component(immediate = true, service = Filter.class, property = {
"sling.filter.scope=REQUEST",
"sling.filter.pattern=/.*"
})
public class CSPNonceFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;

// Generate a base64-encoded nonce
String nonce = Base64.getEncoder().encodeToString(UUID.randomUUID().toString().getBytes());

// Set the CSP header with the nonce
httpResponse.setHeader("Content-Security-Policy", "script-src 'self' 'nonce-" + nonce + "';");

// Include the nonce in the response
httpRequest.setAttribute("cspNonce", nonce);
chain.doFilter(request, response);
}
}


Pros:

Full control over nonce generation and injection.
Can be tailored to AEM specifics.


Cons:
Potential caching issues

3 replies

h_kataria
Community Advisor
h_katariaCommunity Advisor
Community Advisor
July 26, 2024

You can check this thread to get some ideas
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-as-a-cloud-how-to-add-nonce-values-to-content-security/td-p/645512
However for your last point, custom apache modules are not supported on AEMaaCS, so I think you will not be able to do that https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/content-delivery/disp-overview#supported-directives 

    J
    jorganerAuthor
    Level 2
    July 26, 2024

    Thank you very much.

    I have consulted that article before opening this query.

    Greetings.

      Pradeep_Kumar_Srivastav
      Community Advisor
      Pradeep_Kumar_SrivastavCommunity AdvisorAccepted solution
      Community Advisor
      July 27, 2024

      Hi @jorganer , Have you considered a Custom AEM Filter, there will be of course some trade-off that needs to be considered. Despite your initial concerns about caching, a custom AEM filter could be a viable option. You could generate a nonce, store it in a session or request attribute, and inject it into the response. While caching might be a challenge, it could be done through cache invalidation strategies or by using a unique nonce per user session. Something like below.

      // Nonce Sling Filter in AEM
      @Component(immediate = true, service = Filter.class, property = {
      "sling.filter.scope=REQUEST",
      "sling.filter.pattern=/.*"
      })
      public class CSPNonceFilter implements Filter {
      @Override
      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
      HttpServletRequest httpRequest = (HttpServletRequest) request;
      HttpServletResponse httpResponse = (HttpServletResponse) response;

      // Generate a base64-encoded nonce
      String nonce = Base64.getEncoder().encodeToString(UUID.randomUUID().toString().getBytes());

      // Set the CSP header with the nonce
      httpResponse.setHeader("Content-Security-Policy", "script-src 'self' 'nonce-" + nonce + "';");

      // Include the nonce in the response
      httpRequest.setAttribute("cspNonce", nonce);
      chain.doFilter(request, response);
      }
      }


      Pros:

      Full control over nonce generation and injection.
      Can be tailored to AEM specifics.


      Cons:
      Potential caching issues

        J
        jorganerAuthor
        Level 2
        July 29, 2024

        Thank you very much Pradeep_Kumar_Srivastav.

         

        We had already taken this option into account, but due to the cache issue we had not wanted to apply it for the moment.

        How difficult is the inclusion in dispatcher of new apache modules like mod_cspnonce?

        I will wait a few days, if someone can give us a solution that only applies to dispatcher, otherwise we will finally apply the filter solution.

        Best regards.

          Pradeep_Kumar_Srivastav
          Community Advisor
          Pradeep_Kumar_SrivastavCommunity Advisor
          Community Advisor
          July 30, 2024

          Hi @jorganer , You have to create custom code to purge cache using API. You,for example , can create a workflow by using which you can purge the cache by API after filter is called. Or Reachout to Adobe for enhancement for enabling this module.

            kautuk_sahni
            Community Manager
            kautuk_sahniCommunity Manager
            Community Manager
            August 1, 2024

            @jorganer Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

            Kautuk Sahni
            Terms & ConditionsAccessibility statement

            Loading footer...