Generate a nonce with Apache 2.4 (for a Content Security Policy header)

Question

We\'re working on creating a strict Content Security Policy (https://csp.withgoogle.com/docs/strict-csp.html) which necessitates Apache creating a nonce each time a resource

Answer 1

I would have preferred to simply add this as a comment but my reputation <50 does not allow it so I'm posting this as an answer instead.

In response to:

1.) apache generates a random string via mod_unique_id

This is a "unique" value not a "random" value, so you might want to be careful with its use as a CSP nonce.

2.) we insert this into our CSP header (not sure how to do this actually)

    
        Content-Security-Policy: script-src 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' 'unsafe-inline' ' https:;
    

I hope this helps.