Gusto Engineering
Published in

Gusto Engineering

Nonce-based Content Security Policy (CSP) in Rails


What is a Content Security Policy?

script-src directive with some host-source directives allowing for CSP bypass
Network tab shows CSP enforcing “mode” blocking some fonts from loading

What is the point of a Content Security Policy?

Defense in depth — an attacker must break through each layer of defense from sanitization of user input to CSP in order to reach the crown jewels

Enforcing vs Report-Only

Example of CSP violation in DevTools console when CSP is in Report-Only “mode”
Network tab in Chrome DevTools shows that both Content-Security-Policy and Content-Security-Policy-Report-Only headers are sent

How Does Reporting Work?

Example report-uri directive
"csp-report": {
"blocked-uri": "inline",
"column-number": 1,
"document-uri": "",
"line-number": 21,
"original-policy": "default-src 'self'; script-src 'unsafe-inline' 'strict-dynamic' 'nonce-[removed]'; report-uri",
"violated-directive": "script-src"

Traditional CSP vs Nonce-based CSP

Example of a directive in traditional CSP
Example of nonce-based CSP behavior with script-src directive




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store