Use a nonce for the script-src
directive of your Content Security Policy (CSP) to help prevent
cross-site scripting (XSS)
attacks.
This functions takes a response and will add a header and transforms the HTML response body to contain a unique nonce on every request.
Scripts that do not contain a matching nonce
attribute, or that were not
created from a trusted script (see
strict-dynamic), will not
be allowed to run.
If the response already has a CSP, this will merge the directives it generates with your the directives.
This project is licensed under the BSD 3-Clause license.
csp_nonce_html_transformer
is based on
remorses/htmlrewriter which is BSD
3-Clause licensed.