How to generate a nonce in node.js?

node.js content-security-policy nonce
João Pimentel Ferreira picture João Pimentel Ferreira · Apr 27, 2018 · Viewed 10k times · Source

I need to generate a nonce (number generated only once) to remove the CSP rule 'unsafe-inline' and all the trusted URLs for scripts, improving the CSP score. Thus I need to have in the HTML

<script nonce="{{{nonce}}}" src="http://example.com/file.js">

I know the nonce must be unique with a method of calculation almost impossible to predict, it should have at least 128 bits (hence 16 bytes), and be encoded in base64. Is therefore this correct for node.js?

const crypto = require('crypto');
let nonce = crypto.randomBytes(16).toString('base64');

Answer

Jo&#227;o Pimentel Ferreira picture João Pimentel Ferreira · Apr 29, 2018

Just to confirm that indeed this does work in NodeJS for CSP nonces

const crypto = require('crypto');
let nonce = crypto.randomBytes(16).toString('base64');

Related questions

Trying to render iframe: ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'"

I would like to render an iframe with the source being Github like so: <iframe src="https://gist.github.com/user45445/9bf8d568e3350146ba302d7d67ad576f"> </iframe> This is the error I get …

Read More
nodeJS - where exactly can I put the Content Security Policy

I don't know where to apply the Content Security Policy (CSP) snippet below in my code; Content-Security-Policy: script-src 'self' https://apis.google.com Should it be in the HTML? Will it be best implemented in JavaScript as in the code …

Read More
node.js - correct content security policy for socket.io (web sockets) using helmet

I am trying to implement content security policies (CSP) in a node server, and am having trouble setting up socket.io. It looks like I am setting up the connectSrc incorrectly in the code below. Could someone suggest the correct …

Read More