CSP with Nonces and Hashes
CSP with Nonces and Hashes
Moving beyond 'unsafe-inline' requires implementing nonces or hashes:
<!-- Using nonces for inline scripts -->
<script nonce="2726c7f26c">
// This script will execute because the nonce matches
console.log('Secure inline script');
</script>
<!-- Using hashes for static inline scripts -->
<!-- CSP: script-src 'self' 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=' -->
<script>alert('Hello CSP!');</script>
Generating hashes for inline content:
echo -n "alert('Hello CSP!');" | openssl dgst -sha256 -binary | openssl base64