Using nginx $request_id for CSP nonce value: how to avoid caching it?

Asked Mar 12 '21 at 03:28

Active Mar 12 '21 at 03:28

Viewed 508 times

I'm using the nginx $request_id for the CSP nonce value, but how can I get fastcgi_cache to bypass caching it?

I tried this above the location block where the variable is created, but it seems to stop all caching:

if ($request_id != "") {
    set $skip_cache 1;
}

To create the variable inside the block, I'm using:

fastcgi_param REQUEST_ID $request_id;

Thanks for any help.

asked Mar 12 '21 at 03:28

jamminjames

Every request has a different `$request_id`. It doesn't make sense to use it as a nonce value or for caching decisions. What exactly are you trying to do? – Michael Hampton Mar 12 '21 at 03:51
I've seen other examples of people using it this way. Using a nonce for inline scripts for CSP is recommended, and this is one way to do produce it. https://content-security-policy.com/nonce/. The best way to do it in Nginx is with certain modules, but I would have to recompile our installation to get those. https://scotthelme.co.uk/csp-nonce-support-in-nginx/ – jamminjames Mar 13 '21 at 04:15

0 Answers0