Hey everyone!
I'm working on enhancing the security for my public-facing sites and am looking to implement Content Security Policy (CSP) headers alongside SSO, Let's Encrypt certificates, crowdsec, and geo-IP blocking. However, setting up CSP feels like a huge hassle. To avoid using the unsafe-inline policy, it seems that I need to use nonces or hashes. The issue is, I'm using Docker images—having to manually create new nonces every time I update the image sounds like a nightmare! Plus, some of my scripts are dynamic, so I'm wondering how to handle that in a Docker environment. There are tons of hashes to track down in the console as well, which adds to the complexity. On top of that, I've noticed that browsers struggle with the indentation in Traefik's configuration, requiring me to edit everything in a single line.
Is there an easier way to manage this? Maybe a plugin that could help capture all the static hashes while I browse, organizing them into one convenient location?
Any help would be greatly appreciated! Thanks!
2 Answers
When handling CSP in Docker, just treat it like a traditional app. You can generate a nonce for every deployment or create it per request. It's not the most straightforward solution, but it can simplify the process.
Nonces are generated per request, so you're right about that! The idea is that you have to include them in your HTML, but when using Docker, every time you clear or restart your image, you lose that nonce. It can get pretty tedious for sure.
Yeah, it's a real pain! If you're not doing it already, consider generating a nonce during each deployment and injecting it into the HTML at that moment instead of trying to manage it per request.