Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Seckit CSP Nonce

36 sites No security coverage
View on drupal.org

This module enhances website security by automatically adding unique "nonce" attributes to all inline JavaScript. It allows you to enforce strict Content Security Policy (CSP) rules to prevent cross-site scripting (XSS) attacks without resorting to less secure methods that would permit malicious code. This makes it easier to support essential scripts like those from Google Tag Manager while improving overall site security.

Introduction

SecKit CSP Nonce automatically adds Content Security Policy (CSP) nonce attributes to all inline JavaScript on your Drupal site, enabling you to enforce strict CSP policies without blocking legitimate scripts.
The Problem: Modern web security requires Content Security Policy headers to prevent Cross-Site Scripting (XSS) attacks. However, CSP blocks all inline JavaScript by default. While you can use 'unsafe-inline' to allow inline scripts, this defeats the entire purpose of CSP by allowing both legitimate scripts AND malicious injected code.
The Solution: This module automatically generates unique, cryptographically random nonce (number used once) values for each page request and adds them to all inline

tags. The nonce is also included in your site's CSP header, allowing legitimate inline scripts to execute while blocking any injected malicious code.

This module is perfect for site administrators who want to:

  • Improve security with strict CSP policies
  • Pass security audits and CSP evaluators
  • Support Google Tag Manager without unsafe-inline
  • Eliminate CSP violations in browser console
  • Comply with modern security best practices
No coding required - just install, configure, and your site becomes more secure!

Features

Core Functionality

  • Automatic Nonce Generation
  • Multiple Operation Modes
  • Comprehensive Script Coverage
  • Unlike other solutions, this module catches inline scripts from:
    • Drupal core and contrib modules
    • Theme templates (Twig files)
    • Raw markup and #markup render elements
    • Google Tag Manager container scripts
    • Third-party integrations and widgets
    • Custom inline JavaScript anywhere on the page
  • SecKit Integration (Optional)
  • Merge with SecKit: Adds nonce to SecKit's existing CSP policy (recommended)
  • Override SecKit: Replaces SecKit's CSP entirely (advanced usage)
  • Google Tag Manager Support
  • Advanced Configuration
  • Zero Code Changes Required
  • Production-Ready

When to Use This Module

Use this module when you need to: Enforce strict Content Security Policy on your site Pass security audits that flag unsafe-inline usage Use Google Tag Manager with proper CSP Eliminate "Refused to execute inline script" console errors Comply with security requirements for government, healthcare, or enterprise sites Support third-party scripts while maintaining security Improve your site's security rating on tools like Mozilla Observatory

Post-Installation

Will be updated soon.

Activity

Total releases
2
First release
Jan 2026
Latest release
2 months ago
Releases (12 mo)
2 ▲ from 0
Maintenance
Active

Releases

Version Type Release date
1.0.0 Stable May 14, 2026
1.0.x-dev Dev Jan 15, 2026