{"id":26509820,"url":"https://github.com/moveyourdigital/cloudflare-worker-csp-nonce","last_synced_at":"2025-03-21T01:37:23.643Z","repository":{"id":133888841,"uuid":"284753751","full_name":"moveyourdigital/cloudflare-worker-csp-nonce","owner":"moveyourdigital","description":"A Cloudflare worker to generate and inject Content Security Policy nonces in returned HTML pages.","archived":false,"fork":false,"pushed_at":"2020-08-03T21:29:31.000Z","size":9,"stargazers_count":17,"open_issues_count":2,"forks_count":4,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-19T10:44:33.804Z","etag":null,"topics":["attacks","cloudflare","cloudflare-worker","content-security-policy","nonces","s3-website","static-website","whitelist"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moveyourdigital.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-08-03T16:42:16.000Z","updated_at":"2025-01-27T06:44:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"16467272-e302-4613-9f3b-2f7279736447","html_url":"https://github.com/moveyourdigital/cloudflare-worker-csp-nonce","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moveyourdigital%2Fcloudflare-worker-csp-nonce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moveyourdigital%2Fcloudflare-worker-csp-nonce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moveyourdigital%2Fcloudflare-worker-csp-nonce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moveyourdigital%2Fcloudflare-worker-csp-nonce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moveyourdigital","download_url":"https://codeload.github.com/moveyourdigital/cloudflare-worker-csp-nonce/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244722699,"owners_count":20499151,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attacks","cloudflare","cloudflare-worker","content-security-policy","nonces","s3-website","static-website","whitelist"],"created_at":"2025-03-21T01:37:22.965Z","updated_at":"2025-03-21T01:37:23.635Z","avatar_url":"https://github.com/moveyourdigital.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloudflare Worker Content Security Policy Nonce Generator\nA Cloudflare worker to generate and inject Content Security Policy nonces for HTML pages.\n\n### Motivation\nHTTP [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including [Cross Site Scripting (XSS)](https://developer.mozilla.org/en-US/docs/Glossary/XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.\n\nCSP level 1 uses the concept of `whitelist` of domains or entire script paths, however this technique is being flagged as isecure, and there's even a [paper](https://research.google/pubs/pub45542/) around this.\n\nCSP level 2 introduced the concept of `digests` or `nonces` which would allow developers to whitelist using `sha256` checksums or a uniquely randomly generated nonce. The issue is that when we include external `stylesheets` and `scripts` that we don't control (such as Google Analytics, etc) we can't use `sha-256` directives, hence the need of nonces.\n\nCSP level 3 introduces the concept of [`strict-dynamic`](https://content-security-policy.com/strict-dynamic/) which enlargely helps developers to deploy secure websites without the burden of injecting `nonces` everywhere.\n\n### Description\n\nHere, at Move Your Digital, our sites are served from a static hosting and that colides with the uniquely generated nonce technique we need. However, if you use Cloudflare you can use this script to overcome this problem.\n\nThis small script is a [Cloudflare Worker](https://workers.cloudflare.com/) and must be deployed as one single worker. Once attached to a route, say `https://example.com/*`, all requests matching `/*` will be intercepted and a completely new and unique `nonce` is generated using the [Web Crypto](https://developers.cloudflare.com/workers/reference/apis/web-crypto/) library for each request.\n\n#### Flow\n```\nRequest -\u003e Cloudflare -\u003e Worker\n\nWorker:\n-------\n1. Request Origin (or Cloudflare cache)\n2. Generate a new nonce\n3. Replace new nonce in HTTP Response\n\nWorker -\u003e Cloudflare -\u003e Response\n```\n\n### Usage\n\n1. Create a new [Cloudflare Worker](https://workers.cloudflare.com/)\n2. Deploy `nonce-worker.js`\n3. Within `Workers` tab of domain dashboard [attach routes](https://developers.cloudflare.com/workers/about/routes/)\n4. Always respond with the static `DhcnhD3khTMePgXw` string (which is the default string which will be replaced by a new nonce). Change it if needed.\n\n### How does it work by example\n\n#### Example of response from origin\n```\nHTTP 200 OK\nContent-Type: text/html\nContent-Security-Policy: default-src 'none'; script-src 'self' 'nonce-DhcnhD3khTMePgXw' 'strict-dynamic';\nCache-Control: no-cache, max-age=0\n\n\u003chtml\u003e\n\u003chead\u003e\n  \u003clink rel=\"stylesheet\" href=\"/styles.css\" nonce=\"DhcnhD3khTMePgXw\" /\u003e\n  \u003cscript nonce=\"DhcnhD3khTMePgXw\"\u003e\n    alert(\"I'm alive!\");\n  \u003c/script\u003e\n\u003c/head\u003e\n\u003c/html\u003e\n```\n\n#### Response after Cloudflare worker\n```\nHTTP 200 OK\nContent-Type: text/html\nContent-Security-Policy: default-src 'none'; script-src 'self' 'nonce-MWM2ODViMWI3MQ/Yzk5NzJhMzQ2OWQxMTk=' 'strict-dynamic';\nCache-Control: no-cache, max-age=0\n\n\u003chtml\u003e\n\u003chead\u003e\n  \u003clink rel=\"stylesheet\" href=\"/styles.css\" nonce=\"MWM2ODViMWI3MQ/Yzk5NzJhMzQ2OWQxMTk=\" /\u003e\n  \u003cscript nonce=\"MWM2ODViMWI3MQ/Yzk5NzJhMzQ2OWQxMTk=\"\u003e\n    alert(\"I'm alive!\");\n  \u003c/script\u003e\n\u003c/head\u003e\n\u003c/html\u003e\n```\n\nNotice the change of default `nonce` string which is replaced by a randomly generated one.\n\n### Known issues and troubleshooting\n\n#### Rocket Loader®\n\nThe new [Cloudflare Rocket Loader®](https://blog.cloudflare.com/we-have-lift-off-rocket-loader-ga-is-mobile/) feature injects/replaces itself with a different script. Since we can't whitelist domains using `strict-dynamic` Google Chrome blocks this request and we were unable to find the reason. Sadly, we had to disable Rocket Loader for these websites.\n\nWe're working on a solution to overcome this issue.\n\n### Considerations\n\n#### Do not send `Content-Security-Policy` in `304 Not Modified` responses\nThis script removes `Content-Security-Policy*` headers from the response if origin responds with a `304`. This way we tell browsers to reuse the previously generated nonce. Since the nonce is private and not deterministic, no external scripts can access it and no body is modified, it's safe to reuse it during subsequent requests as browsers will use stale content.\n\n#### Limits of Workers free plan\n\nAs the time of this writing, the limit is 100k/mo. However this can change. If you need more, consider using a paying plan which in fact is very cheap.\n\n### Contributing\n\nYou can contribute for this repo. Please open an issue or a pull request.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoveyourdigital%2Fcloudflare-worker-csp-nonce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoveyourdigital%2Fcloudflare-worker-csp-nonce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoveyourdigital%2Fcloudflare-worker-csp-nonce/lists"}