8

To set up strict-dynamic CSP source it's required to maintain a unique nonce value per request. The recommended way to do it according to this article is with:

set_secure_random_alphanum $cspNonce 32;

Though I'm using official nginx docker image, which does not have nginx_set_misc module installed and this line fails with error:

nginx: [emerg] unknown directive "set_secure_random_alphanum" in /etc/nginx/security-headers-master.conf:54

I have two options:

– install not official nginx image with lua support,

– use available nginx variable, e.g. $request_id, as a nonce value.

As far as I see according to nginx documentation it can fit:

$request_id – unique request identifier generated from 16 random bytes, in hexadecimal (1.11.0)

Please share your thoughts about it.

kradmiy
  • 313
  • 1
  • 9

1 Answers1

11

If you compile nginx with the NGX_OPENSSL flag, $request_id value will be sufficient for a CSP nonce because it's a 128-bit cryptographically strong random number returned by OpenSSL's RAND_bytes(). Otherwise, the value will be pseudo-random which means that an attacker who deduces the state of your server's PRNG may be able to forge the correct request_id / CSP nonce in their XSS payload. In practice, I wouldn't worry about this too much because the attack is not straightforward and would require sending a lot of traffic to the server, but it's worth keeping this in mind.

One thing to watch out for is making sure that the request_id value isn't used for anything else that might be sensitive in your application, because you will be exposing it to the user in the source of the HTML page.

Artur Janc
  • 226
  • 2
  • 2
  • 1
    In the output `nginx -V`, if I have "--with-http_ssl_module", its means I compiled nginx with the NGX_OPENSSL flag? – salt Mar 28 '21 at 00:54