Open in app

Sign in

Write

Sign in

Implementing CSP with Nonce in Sitecore

Santosh Kumar
2 min readJun 16, 2024

--

Implementing a Content Security Policy (CSP) using nonces in a Sitecore solution can help enhance security by allowing scripts and styles only if they include a specific nonce value. This approach helps prevent cross-site scripting (XSS) attacks by ensuring that only scripts and styles you explicitly approve can be executed.

What is a Nonce?: A nonce (number used once) is a random value that is generated uniquely for each HTTP request. Scripts or styles with the corresponding nonce are allowed to execute.

Benefits of Using Nonces: Nonces provide a more granular and secure method to allow inline scripts and styles compared to other CSP directives.

Let’s implement CSP with Nonce in the Sitecore solution:

Step-1: Create one CSP processor class.

using Sitecore;
using Sitecore.Pipelines.HttpRequest;
using System.Security.Cryptography;

namespace Demo.Foundation.Extensions.Pipelines.HttpRequestBegin
{
    public class CspProcessor : HttpRequestProcessor
    {
        public override void Process(HttpRequestArgs args)
        {
            if (Context.Site == null)
                return;

            if (Context.Site.Name == "MySite")
            {
                string csp = Sitecore.Configuration.Settings.GetSetting("ContentSecurityPolicy");

                if (!string.IsNullOrEmpty(csp))
                {
                    string nonce = GenerateNonce();
                    HttpContext.Current.Items["CSPNonce"] = nonce;
                    string cspVal = string.Format(csp, nonce);

                    args.HttpContext.Response.Headers.Add("Content-Security-Policy", cspVal);
                }

            }

        }

        private static string GenerateNonce()
        {
            //Allocate a buffer
            var byteArray = new byte[20];
            //Generate a cryptographically random set of bytes
            using (var Rnd = RandomNumberGenerator.Create())
            {
                Rnd.GetBytes(byteArray);
            }
            //Base64 encode and then return
            return System.Convert.ToBase64String(byteArray);
        }
    }
}

Step-2: Add the CSP configuration file which is referenced in the above code snippet. ContentSecurityPolicy value might be different as per your project need.

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
  <sitecore>
    <settings>
        <setting name="ContentSecurityPolicy" value="script-src 'nonce-{0}' 'strict-dynamic' 'unsafe-inline'; object-src https://player.blubrry.com; base-uri 'none';" />
    </settings>
  </sitecore>
</configuration>

Step-3: Now register your processor in the HttpRequestBegin pipeline and patch it after ItemResolver processor.

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
  <sitecore>
    <pipelines>
        <httpRequestBegin>
              <processor type="Demo.Foundation.Extensions.Pipelines.HttpRequestBegin.CspProcessor, Demo.Foundation.Extensions"
               patch:after="processor[@type='Sitecore.Pipelines.HttpRequest.ItemResolver, Sitecore.Kernel']"/>
        </httpRequestBegin>
    </pipelines>
  </sitecore>
</configuration>

Step-4: Now create one helper method which will be used in views where the scripts and styles are used. The same method can be utilized for bundle js and css files.

public static class HtmlHelpers
{
    public static IHtmlString Nonce(this HtmlHelper htmlHelper)
    {
        var nonce = HttpContext.Current.Items["CSPNonce"] as string;
        return new HtmlString(nonce);
    }
}

Step-5: Use the helper method in your Views wherever scripts and style are defined. For example —

<script nonce="@Html.Nonce()">
    // Your inline script here
</script>

<style nonce="@Html.Nonce()">
    /* Your inline styles here */
</style>

<!-- Use with your bundle files -->
@Scripts.RenderFormat("<script nonce='" + @Html.Nonce() + "' src='{0}' async></script>", "/dist/bundles/application.bundle.js")

Testing Your CSP Implementation:

  • Check Headers: Use browser developer tools to check if the Content-Security-Policy header is correctly set with the nonce.
  • Monitor Violations: Use the browser console to monitor any CSP violations and adjust the policy accordingly.
  • Security Tools: Use tools like CSP Evaluator to evaluate your CSP policy’s effectiveness.

Implementing a Content Security Policy with nonce in a Sitecore solution is a powerful way to enhance security by ensuring that only approved scripts and styles are executed. By following the above steps, you can ensure that your site is protected against various types of content-based attacks while maintaining the functionality and user experience.

You can find my other blogs here.

Thank you!

Csp
Content Security Policy
Sitecore
Nonce
Sitecore Development

--

--

Santosh Kumar

Written by Santosh Kumar

4 Followers

Software Architect at EPAM Systems. Extensive expertise in Sitecore | XM Cloud | OrderCloud | Content Hub |.Net Core | Azure | AWS | Docker & MACH architecture.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams