Nonce Generator
25 sites
No security coverage
This module generates a unique nonce for each request, which can be automatically added to Content Security Policy headers. Developers can then create plugins to output scripts that automatically use these nonces, preventing CSP violations even with cached content.
Nonce Generator
Generates fresh CSP nonces per request and automatically injects them into script-src Content Security Policy headers.
What It Does
This module generates a unique nonce for each HTTP request and automatically adds it to your CSP headers. The module itself doesn't add any scripts — you create plugins to output scripts that use the nonce.
How it works
- ✅ Scripts get fresh nonces on every request via lazy builders
- ✅ No CSP violations even with cached content
Creating a Plugin
Create a plugin class in your module at src/Plugin/NonceScript/MyScript.php:
<?php
namespace Drupal\mymodule\Plugin\NonceScript;
use Drupal\nonce_generator\Plugin\NonceScript\NonceScriptPluginBase;
/**
* @NonceScript(
* id = "my_script",
* label = @Translation("My Script")
* )
*/
class MyScript extends NonceScriptPluginBase {
public function getScript(string $nonce): string {
$escaped_nonce = htmlspecialchars($nonce, ENT_QUOTES, 'UTF-8');
return <<<SCRIPT
<script type="text/javascript" nonce="{$escaped_nonce}">
console.log("Hello from my script!");
// Add more JavaScript here
</script>
SCRIPT;
}
}
Adding to Templates
Use in render arrays or templates:
// Render a specific plugin
$build['my_script'] = [
'#type' => 'nonce_script',
'#plugin_id' => 'my_script',
];
// Render all active plugins
$build['all_scripts'] = [
'#type' => 'nonce_script',
'#all_plugins' => TRUE,
];