Add a Nonce Based script-src Header in Express to Only Allow Scripts that Match the Nonce

Share this video with your friends

Send Tweet

In this lesson, we'll learn how to set the script-src CSP to use nonces. Using nonces will disallow both inline scripts and remote scripts from executing unless the script tag has a nonce attribute that matches the nonce provided by the CSP header. This will mitigate the vulnerability we discovered in the previous lesson and will effectively block all javascript from running except the scripts you explicitly added, and is an effective defense against javascript powered XSS!

Oleksii Onyshchenko
Oleksii Onyshchenko
~ 5 years ago

There is typo nonce=-${response.locals.nonce} it should be: nonce-${response.locals.nonce}.

Lucas Minter
Lucas Minter
~ 4 years ago

Thanks for this Oleksii. I got the transcripts updated.