Site
      Back to home
      1. Help Center
      2. Site

      Protecting your Site from Cross-Site Scripting and Other Injection Attacks

      Using nonce with Content Security Policy (CSP) header

      There are a number of methods available to avoid cross-site scripting (XSS) including white lists, unique hashes, or a unique nonce value. SiteSpect uses a Content-Security-Policy Nonce Value to add a nonce value to your Site’s Content-Security-Policy header. When enabled, SiteSpect generates a unique string per request and adds it to the header as an attribute. Any script that wants to run must contain the nonce attribute.

      Summary:

      • SiteSpect will automatically add the nonce to incline <script> declarations in the source of your page, which is controlled by your origin, if you are specifying it in the CSP.
      • All inline script blocks that SiteSpect adds in a Variation will need will need to include the WATTS nonce macro __SS_CONTENTSECURITYPOLICYNONCE__ . There is no harm to add this macro in SiteSpect scripts as it will return blank if there is no nonce specified in the CSP. e.g. <script __SS_CONTENTSECURITYPOLICYNONCE__>

       

      For example, if the CSP header looks like this:

      Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-aAbBcCd';

      Then an inline script on the site must look like this:

      <script nonce="aAbBcCdD">console.log("Hello world!");</script>

      Otherwise, the browser displays an error message stating that an inline script tried to run but did not comply with the Content-Security-Policy header.

      SiteSpect will take care of this automatically for all of your inline script in your page source when enabled and specified in the CSP.

      To enable the feature:

      1. Select SiteConfigurationSite Settings, and then Security.
      2. Select Content-Security-Policy Nonce Value.

      The following rules apply when this feature is enabled, in order of precedence:

      • If the origin is not sending a Content-Security-Policy header, SiteSpect does nothing; it does not add a header.
      • If there is a script-src directive specified and:
        • it already contains a nonce, then SiteSpect pulls the nonce value and adds it to our own scripts without modifying the header.
        • it contains 'unsafe-inline' and a hash, SiteSpect adds a newly generated nonce and adds it to the script-src. 'unsafe-inline' in this instance serves as a fallback for the hash, so it is ignored by modern browsers.
        • it contains 'unsafe-inline' and no hash, SiteSpect does nothing. Inline scripts are fully enabled and none of our code is prevented from running. Removing this and adding a nonce value is likely to cause issues on the client's site.
        • it does not contain a nonce, then SiteSpect adds a newly generated nonce value to the script-src directive.

      If there is a default-src directive specified:

      • It copies the default-src into a new script-src, and then follows the same logic as the script-src directive. The script-src is a precise copy of the default-src, but with an additional nonce attribute if it was not defined in the default-src.

      If neither script-src or default-src is defined, SiteSpect does nothing.

      Use the WATTS variable, __SS_CONTENTSECURITYPOLICYNONCE__  as follows to add the generated nonce to value to inserted scripts.

      <script __SS_CONTENTSECURITYPOLICYNONCE__>
      //code
      </script>

      The macro expands to the following, where aaBBccDDffEE is just an example:

      nonce="aaBBccDDffEE"