how can I pass the nonce value from weblogic to Akamai and combine CSP into one

Question

I am in the process of implementing CSP for my website.

I have generated hash values for our static scripts and those are inserted in the response header by Akamai. The problem I have is with the dynamically created javascript code. If I want to use a nonce value, how can I pass that nonce value to Akamai so that it's appended to the csp header?

if I send a second script-src CSP header, only the most restrictive one will be taken into account and that is obviously not going to work.

score 1 · Answer 1 · answered Feb 27 '20 at 08:09

You can extract the nonce at the edge from headers provided by your origin and append it to the outgoing csp header you are alredy building at the edge. The security may be weak if your pages are cached.

Alternatively, Your origin could put a placeholder instead of nonce and then replace it at the edge, generating your nonce here. You need to be careful with the placeholder value to be sure it can't be used against you.

how can I pass the nonce value from weblogic to Akamai and combine CSP into one

1 Answers1