Content Security Policy (CSP) is a crucial security measure that helps mitigate the risk of cross-site scripting (XSS) and other code injection attacks. By implementing CSP with a nonce—a unique token generated for each request—you ensure that only scripts with the correct nonce attribute are executed. This article provides a detailed guide on how to enable CSP with a nonce on Apache servers.

Understanding CSP Nonce

CSP's nonce mechanism allows you to specify a unique identifier for scripts that should be allowed to execute on your web pages. This identifier, or nonce, must be included in both the HTTP header and the script element itself. By using a nonce, you ensure that only scripts that have been specifically approved (and thus include the nonce) will run, enhancing your site’s security.

Installation Guide on Apache

  1. Enable Required Modules: To set up CSP nonce, you first need to activate certain modules in your Apache environment. Open the httpd.conf file typically located at /etc/apache2/httpd.conf or /etc/httpd/conf/httpd.conf depending on your distribution. Ensure the following lines are uncommented (remove the # sign if present):

    LoadModule headers_module modules/mod_headers.so
    LoadModule cspnonce_module modules/mod_cspnonce.so

    It’s essential to check if these lines already exist to avoid adding duplicates which could lead to configuration errors.

  2. Download and Install CSP Nonce Module: Download the appropriate version of the CSP nonce module (mod_cspnonce-1.4-win32-VS16.zip or mod_cspnonce-1.4-win64-VS16.zip) based on your server’s architecture from mod_cspnonce releases on GitHub. After downloading, extract and copy the mod_cspnonce.so file into your /usr/lib/apache2/modules directory (the path might vary).

  3. Configure .htaccess: Locate the .htaccess file in the script folder you purchased. Modify it to use the CSP nonce. Replace the existing nonce values (appears twice) in the file:

    'nonce-N2M0MDhkN2EtMmRkYi00MTExLWFhM2YtNDhkNTc4NGJhMjA3'

    with

    'nonce-%{CSP_NONCE}e'

    This change dynamically assigns a unique nonce value for each request.

  4. Update Configuration in config.php: Go to the config.php file in your script folder. Comment out the existing CSP_NONCE definition and update it to generate a new nonce for each request:

    //define('CSP_NONCE', 'nonce="N2M0MDhkN2EtMmRkYi00MTExLWFhM2YtNDhkNTc4NGJhMjA3"'); define('CSP_NONCE', 'nonce="' . $_SERVER['CSP_NONCE'] . '"');

Finalizing and Testing

After making these changes, restart your Apache server to apply the configuration. To test if CSP nonce is working correctly, inspect the headers of your site using browser developer tools. You should see the CSP header with the nonce value included.

Conclusion

Implementing CSP with nonce on an Apache server provides a robust layer of security against script-based attacks. By following the steps outlined above, you can effectively secure your platform against potential vulnerabilities. Deploy these settings on your NewsPro platform or any other web application to enjoy enhanced security.