使用Apache 2.4生成随机数(用于内容安全策略标头) [英] Generate a nonce with Apache 2.4 (for a Content Security Policy header)

问题描述

我们正在努力创建严格的内容安全政策( https://csp. withgoogle.com/docs/strict-csp.html )，这使得Apache每次请求资源时都必须创建一个随机数，以便我们可以将该随机数插入到http标头中.

We're working on creating a strict Content Security Policy (https://csp.withgoogle.com/docs/strict-csp.html) which necessitates Apache creating a nonce each time a resource is requested, so that we can insert this nonce into the http header.

如何使用Apache 2.4创建随机数?

How can we create a nonce with Apache 2.4?

我已阅读的所有与CSP相关的文档都说明了"nonce只是在服务器上生成的随机字符串，包含在CSP标头中..."的作用，但是未找到任何有关此信息如何使用Apache做到这一点.我们当然可以使用应用程序代码来做到这一点，但是通过Apache做到这一点似乎是一种更清洁的解决方案，它将确保每个页面都获得CSP标头.

All of the CSP related documentation I've read says something to the effect of "A nonce is just a random string that's generated on the server, included in the CSP header..." but haven't found any info on how to do this with Apache. We could of course do this with app code, but doing it via Apache seems like a cleaner solution/will ensure every single page gets the CSP header.

推荐答案

我宁愿将其简单地添加为评论，但我的声誉< 50不允许它，因此我将其发布为答案.

I would have preferred to simply add this as a comment but my reputation <50 does not allow it so I'm posting this as an answer instead.

回应:

1.)apache通过mod_unique_id生成随机字符串

1.) apache generates a random string via mod_unique_id

这是一个唯一"值，而不是随机"值，因此您可能需要谨慎将其用作CSP随机数.

This is a "unique" value not a "random" value, so you might want to be careful with its use as a CSP nonce.

2.)我们将其插入到CSP标头中(不确定如何执行此操作)

2.) we insert this into our CSP header (not sure how to do this actually)

<IfModule mod_headers.c>
    <FilesMatch "\.(htm|html|php)$">
        Content-Security-Policy: script-src 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' 'unsafe-inline' ' https:;
    </FilesMatch>
</IfModule>

我希望这会有所帮助.

这篇关于使用Apache 2.4生成随机数(用于内容安全策略标头)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！