1. 15
    Add a Nonce Based script-src Header in Express to Only Allow Scripts that Match the Nonce
    3m 7s

Add a Nonce Based script-src Header in Express to Only Allow Scripts that Match the Nonce

Mike Sherov
InstructorMike Sherov

Share this video with your friends

Send Tweet

In this lesson, we'll learn how to set the script-src CSP to use nonces. Using nonces will disallow both inline scripts and remote scripts from executing unless the script tag has a nonce attribute that matches the nonce provided by the CSP header. This will mitigate the vulnerability we discovered in the previous lesson and will effectively block all javascript from running except the scripts you explicitly added, and is an effective defense against javascript powered XSS!

Oleksii Onyshchenko
Oleksii Onyshchenko
~ a year ago

There is typo nonce=-${response.locals.nonce} it should be: nonce-${response.locals.nonce}.

Lucas Minter
Lucas Minter
~ 5 months ago

Thanks for this Oleksii. I got the transcripts updated.