I created strong CSP rules for my new wordpress project.
My infrastructure is:
Self hosted, Debian VM, Docker Swarm + Portainer, Wordpress + Plugins + some backend like PHPMA or Traefik Dashboard.
CSP are loaded on an external dynamic configuration file in Traefik.
Issue is: script-src and strict-dynamic tag will not work if I do not set my nonce into every script the site will use.
Question is, can I, using Traefik superpowers, generate my nonce and include it on every local scipt the site load so that I am abble to finally remove that conter productive tag unsafe-inline
Thanks a lot and protect yourself!
No clue about CSP, can you explain what you want to achieve? The nonce is a random string? It is manually created by you and manually inserted into the regular HTML? The JS needs to have the same nonce? In header or source?
You can add custom response headers and you can even change response content with a plugin. But I am not sure how performant the latter would be.
I want to achieve using the strict-dynamic policy for script-src CSP. And since you can't control or edit all the JS that wordpress will provide it seems very complicated.
The only solution would be to use a script loader that will add a nonce to all the javascipt. And I have no idea where to start. Strict-dynamic is interesting because it will allow a JS that you 'whitelisted' to load another JS using jsonP.