Generate a nonce with Apache 2.4 (for a Content Security Policy header)

Question

We\'re working on creating a strict Content Security Policy (https://csp.withgoogle.com/docs/strict-csp.html) which necessitates Apache creating a nonce each time a resource

Answer 1

After finding mod_unique_id, this was very easy (http://httpd.apache.org/docs/current/mod/mod_unique_id.html).

1.) Enable mod_unique_id. This is generally one line in httpd.conf: LoadModule unique_id_module modules/mod_unique_id.so

2.) mod_unique_id generates a unique string (see user3526609's answer, this may or may not be random enough for you) and server variable UNIQUE_ID set equal to that random string, on each page request, which you can then inject into your CSP and any inline code you need to whitelist. If you happen to use Php, $_SERVER['UNIQUE_ID'];