ETags for server-side rendered pages that contain CSP nonce ETags for server-side rendered pages that contain CSP nonce express express

ETags for server-side rendered pages that contain CSP nonce


html express browser-cache content-security-policy etag

One solution is to leave the whole content generation and caching to web application (Node in your case) and CSP nonce generation to front-end webserver (e.g. Nginx). I have implemented it with Django which does page caching with ETag, does all the Vary header logic etc and the HTML it produces contains such a static CSP nonce placeholder:

< script nonce="+++CSP_NONDE+++"> ... </script>

This placeholder is then filled in by Nginx using ngx_http_subs_filter_module:

sub_filter_once off;sub_filter +++CSP_NONCE+++ $ssl_session_id;add_header Content-Security-Policy "script-src 'nonce-$ssl_session_id'";

I have seen solutions using an additional Nginx module to generate a truly unique random nonce for each request but I believe it's an overkill and I'm just using TLS session identifier, which is unique per each connecting client and may be cached for some time (e.g. 10 minutes) depending on your Nginx configuration.

Just make sure the web application returns uncompressed HTML as Nginx won't be able to do string substitution.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last