seckit_csp_nonce
3 sites
No security coverage
Introduction
SecKit CSP Nonce automatically adds Content Security Policy (CSP) nonce attributes to all inline JavaScript on your Drupal site, enabling you to enforce strict CSP policies without blocking legitimate scripts.
The Problem: Modern web security requires Content Security Policy headers to prevent Cross-Site Scripting (XSS) attacks. However, CSP blocks all inline JavaScript by default. While you can use 'unsafe-inline' to allow inline scripts, this defeats the entire purpose of CSP by allowing both legitimate scripts AND malicious injected code.
The Solution: This module automatically generates unique, cryptographically random nonce (number used once) values for each page request and adds them to all inline
This module is perfect for site administrators who want to:
- Improve security with strict CSP policies
- Pass security audits and CSP evaluators
- Support Google Tag Manager without unsafe-inline
- Eliminate CSP violations in browser console
- Comply with modern security best practices
Features
Core Functionality
- Automatic Nonce Generation
- Multiple Operation Modes
- Comprehensive Script Coverage Unlike other solutions, this module catches inline scripts from:
- Drupal core and contrib modules
- Theme templates (Twig files)
- Raw markup and #markup render elements
- Google Tag Manager container scripts
- Third-party integrations and widgets
- Custom inline JavaScript anywhere on the page
- SecKit Integration (Optional)
- Merge with SecKit: Adds nonce to SecKit's existing CSP policy (recommended)
- Override SecKit: Replaces SecKit's CSP entirely (advanced usage)
- Google Tag Manager Support
- Advanced Configuration
- Zero Code Changes Required
- Production-Ready