I posted this same question on ServerFault but don’t seem to be getting much traffic there, so figured I might post it here too.
I’m trying to implement a nonce for our CSP header policy. I’d like to remove the “unsafe-inline” from the script-src policy, as angular now supports binding a nonce for it’s inline scripts, but I’m having a hard time figuring out how to pass the nonce with the initial content response headers on Windows (it’s also entirely possible that I’m misunderstanding this process entirely).
We use Azure App Services for hosting, and Azure Front-door for a firewall/load-balancer. I feel like there are two possible options here:
- Add a nonce header with the IIS configuration when requesting the js for the angular app.
- Setup a header on the front-door to return the nonce value.
From my attempts, I don’t see a way to configure the headers in IIS to support a random number. I do have a web.config file that allows me to add the CSP headers, but I’m not able to assign anything other than static strings to this file.
Here is my web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Angular Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="/" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Content-Security-Policy" value="
****** SPACING ADDED FOR READABILITY ******
connect-src 'self' *.my-domain.com my-domain.com;
default-src 'self';
script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline';
style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
font-src 'self' https://fonts.gstatic.com 'unsafe-inline';
frame-src https://www.google.com/recaptcha/ https://recaptcha.google.com/recaptcha/;"
/>
<add name="Referrer-Policy" value="strict-origin" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
For the front-door, it’s a similar issue. I can add custom headers, but not random values.
Thanks in advance for any help/insight you can offer.