Hello everyone.
We are working on AEM as a cloud services
We are trying to add nonce attribute in Content-Security-Police header.
We have been looking at different solutions, but none satisfactory.
We started thinking about making a filter in the aem application server to read the header, add a random number and put it in the <script nonce-xxxxx> tags, we discarded this option because the portal has cache.
We have found several articles indicating how to perform this functionality in the (apache web server) dispatcher.
We activate in our virtual host the include, to activate the SSI and thus replace the variable set in dispatcher in the pages.
Header set Content-Security-Policy “script-src ... 'nonce-%{UNIQUE_ID}e'; ...”
<script nonce=“<!--#echo var=UNIQUE_ID -->”>...</script>
The UNIQUE_ID variable is not strictly base64 encoded. CSP requires a nonce to be base64 encoded, you can solve this by using Apache expressions but it starts to get complicated.
A better approach is to use a specially created module, such as mod_cspnonce. It also provides an environment variable, in this case called CSP_NONCE.
We have tried in dispatcher and the variable returns null, we think this module is not available in dispatcher, is it possible to enable this module in dispatcher?
I don't know if we could have problems with Fastly CDN.
Or you can think of another solution.
Best Regards.
