Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/zzampax/csp-hashing-nonces
Example in which the CSP use hashes/nonces to check inline-scripts
https://github.com/zzampax/csp-hashing-nonces
Last synced: about 2 months ago
JSON representation
Example in which the CSP use hashes/nonces to check inline-scripts
- Host: GitHub
- URL: https://github.com/zzampax/csp-hashing-nonces
- Owner: zzampax
- License: mit
- Created: 2023-10-09T10:11:34.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2023-10-16T11:23:46.000Z (about 1 year ago)
- Last Synced: 2023-10-17T03:23:15.085Z (about 1 year ago)
- Language: PHP
- Size: 6.84 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# CSP-Hashing-Nonces
Example in which the CSP use hashes/nonces to check inline-scripts
All these examples were made in PHP, but the CSP is the same for all languages.## Hashes
The chosen hashing method is SHA-256. The hash is generated using the following command:
```php
base64_encode(hash('sha256', $script_content, true));
```
The hash is then added to the CSP content string:
```php
$csp .= " 'sha256-$hash'";
```
That will later be appended to the CSP header in the HTML:
```html```
### Adding custom inline scripts
If you add an inline script tag inside ```final.php```, you'll need to re-generate the hashes and add it to the CSP header.
The button ```Reload Hashes``` will redirect you to ```index.php```, and hashes will be generated automatically.### XSS testing
By default, non-hashed inline scripts are blocked. using the provided input in ```index.php```, an injected inline script will be added to the ```final.php``` page with the inserted command.## Nonces
The nonce is generated using the following command:
```php
$nonce = base64_encode(openssl_random_pseudo_bytes(32));
```
The nonce is then added to the CSP header in the HTML:
```html```
The nonce is also added to the script tag:
```html```
### Additional considerations
The hashing example has been implemented with a POST request (to make the link less bloated), while the nonce, being in this case only one, is passed through a GET request.
Obviously, *DO NOT* pass such values like this while building complete applications.