A Content Security Policy helps prevent XSS (Cross Site Scripting) attacks by limiting the way content is served from different sources and from where.

In this Article, I will provide a step by step process on how to implement a CSP3 compliant strict-dynamic CSP policy and properly apply it using Webpack and Nginx to serve static content. This guide can be followed with whatever file server you use.

By the end of this guide you will have a green CSP checkmark from the CSP Evaluator.

How bad is it out there? Really really bad

Content Security Policies have been around for many years now, yet there is shockingly poor documentation and guides around the internet on how to actually implement it. In fact, to see how poorly the online community understands CSP just download the “CSP Evaluator” Extension on Google Chrome and browse around.

What will you notice? First on this very website you’ll see that Medium has a script-src policy of ‘unsafe-eval’ ‘unsafe-inline’ about: https: ‘self’. Basically this policy is the same as having no policy. It allows any resource (as long as it’s https) to inject strings as code into this website via eval opening up medium.com to XSS attacks and other attack vectors.

WhiteLists, Whitelists, and more Whitelists

The CSP1 and CSP2 spec provided the concept of whitelists. Meaning every single domain that serves or displays on a page must be whitelisted in the CSP policy. The end result were incredibly long whitelists that were difficult or impossible to manage and keep up to date.

They also are not secure. There are also a large number of CSP bypasses and the use of JSONP which is prevalent in youtube and angular libraries that can be used to inject scripts from a seemingly trusted source. Turns out this isn’t so uncommon as expressed in this famous Research paper which motivated the creation of strict-dynamic in CSP3

Strict-Dynamic: a simpler more secure way

Strict-dynamic was proposed by W3C and has since been adopted by every browser except for Safari, Safari will likely include it in its next major release which is unfortunately annual. It gets rid of the script-src whitelist requirement and replaces it with a cryptographic nonce. In fact with strict-dynamic, all whitelist items are ignored, as long as the browser accepts strict-dynamic, otherwise the whitelist items are used. Instead strict-dynamic will allow any script as long as it matches an included cryptographic nonce or hash.

Nonce and the failure of existing Webpack modules

It is vital that the nonce is uniquely generated for each page load. It cannot be guessable. As long as the nonce is random, strict-dynamic shuts out XSS attacks. If the nonce is deterministic or static, it is useless and defeats the purpose of the CSP policy. It’s why you should 100% avoid using Slack’s Webpack module for CSP, it does not work and will not protect your website. Avoid it. They may update it at some point to create random nonces, but the way it is built currently precludes that possibility as it can only create a nonce at build time instead of at runtime.

You may also run into Google’s attempt at this issue. They instead automatically hash the source files at build time and provide that hash in the html meta policy. While this is actually a secure methodology, it will fail when you still need to use other scripts in your app that aren’t served by webpack. Once you add a nonce based policy with your web server, it will conflict with Google’s policy as the script they use to inject the hash will be rejected.

While CSP policies are allowed in the HTML Meta page, it is impossible to set up the report-uri there. That means that when a user experiences a failure, there will be no logging system and it will fail silently. For that reason it is generally recommended to use a Content-Security-Policy header from your web server instead.

WALKTHROUGH

Define the Policy

default-src 'self';
script-src 'nonce-{random}' 'strict-dynamic' 'unsafe-inline' https:;
object-src 'none';
base-uri 'self';
report-uri https://example.com/csp

This should be the starting point. Strict-dynamic only applies to the script-src entry. That means you will still need to white list other entries. All non existing entries will fallback to default-src and you will see an error if they are served from a different domain. See all of the available entries here . You might also consider adding fallback whitelist entries on the script-src to cover Safari users until the next release (In this case, any domain will be allowed to serve inline content as long as they are from an https source on Safari, not very secure, a whitelist would be better). For other browsers, only nonce-{random} and strict-dynamic is necessary, the rest will be ignored.

Add the nonce placeholder to your html template

Now we need to set a fresh window.nonce on every pageload so it can be applied to all of the webpack generated scripts and bundles. To do that we create a placeholder with any format, in this case I chose **CSP_NONCE**. Note that the script surrounding the window.nonce also needs the place holder or it will be rejected by the strict-dynamic policy

<!DOCTYPE html>
<html>
  <head>
    <title><%= htmlWebpackPlugin.options.title %></title>
    <script nonce="**CSP_NONCE**">
       window.nonce = "**CSP_NONCE**";
     </script>
  </head>
  <body>
    <div id="app"></div>
  </body>
</html>

Apply the CSP policy and populate the nonce placeholder

Next we hop over to Nginx where we create a variable and apply it to the header. I use a variable because it allowed me to organize the CSP headers by section, it also allows me to easily separate development CSP and production CSP which have slightly different requirements due to http/s and devtools. In my real life project, it looks something like this:

"'nonce-r@ndom' ${defaultsrc} ${imgsrc} ${connectsrc} ${stylesrc} ..."

Then we need to actually turn ‘nonce-random’ into a cryptographically random string. Luckily nginx provides that out of the box with ‘$request_id” which in the CSP policy would look like

'nonce-$request_id'

server{
  set csp "script-src 'nonce-$request_id' 'strict-dynamic' 'unsafe-inline' https:; object-src 'none'; base-uri 'self'; default-src 'self'; report-uri https://example.com/csp"
..
..
location / {
  ..
  add_header Content-Security-Policy "${csp}"
  try_files /path/to/index.html =404;
}

What about serving the content? Nginx isn’t a file server that supports templating, most of the information out there suggests using a third party node server to handle the template. But actually nginx supports this just fine. It is not a default module so you will need to make sure you’ve built nginx using the. “ — with-http_sub_module” configuration. If you use the official nginx docker container (or openresty), it is included by default.

Now that we have the sub_module enabled we can add the sub_filter additions

add_header Content-Security-Policy "${csp}"
sub_filter_once off;
sub_filter ‘**CSP_NONCE**’ $request_id;
try_files /path/to/index.html =404;

sub_filter_once off; causes nginx to replace more than one instance of the placeholder. This is vital since we need to both apply it to the script tag as well as set it to the variable. The other command replaces all instances of **CSP_NONCE** with the same request_id listed in the CSP policy

The __webpack_nonce__ hidden feature

__webpack_nonce__ is a magic, horribly documented feature of Webpack, that actually does a great job. Except it requires a lot of hacking to actually apply it.

It must be placed at the top of the entry file specified in your Webpack set up (usually index.js). The very first line should look like:

__webpack_nonce__ = window.nonce

This specific recipe magically turns on a feature set in Webpack that applies nonces to all scripts loaded in runtime. It actually works quite well. Placing this variable anywhere else will cause it not to work. Line 1 of index.js!

Success! Just kidding. Now let’s modify webpack

Why doesn’t it work? Well if you apply a nonce-based CSP policy, the automatically generated script that actually loads the entry file can never be run because… you guessed it.. it’s not nonced. Webpack only applies the nonces *after* the entry file was loaded and has no way of applying it to the script that loads the entry file. But don’t worry, we have a solution for that.

At this point you should be serving an ironclad CSP3 policy with Nginx, creating a fresh, random nonce on every page load that gets applied to your index.html file. If you look at the network page or source code in the devtools of your browser, you will notice the index.html page has replaced the **CSP_NONCE** with the same nonce supplied in the CSP header. Excellent! You also have access to the nonce anywhere in your app via window.nonce. This is not a security concern because the attack vector would require the hacker to know the nonce before it is served.

So at this point, you might ask why are you looking at a white screen?

As I mentioned before, __webpack_nonce__ was only a partially complete implementation, probably why Slack and Google attempted to create their own solutions. Since __webpack_nonce__ can only be set in the entry file and not the index.html file, how can the entry file ever be loaded unless the nonce is applied to the outer script? Even more complicated if you use bundle splitting and/or chunks. Unfortunately the html-webpack-plugin does not have functionality for this so we are stuck.

Custom Plugin

In your webpack.config.js file we need to create a new custom plugin that takes a hook from the html-webpack-plugin and injects the **CSP_NONCE** placeholder to every script tag. Here comes the magic

var HtmlWebpackPlugin = require("html-webpack-plugin")class NoncePlaceholder {
  apply(compiler) {
    compiler.hooks.thisCompilation.tap("NoncePlaceholder", (compilation) => {HtmlWebpackPlugin.getHooks(compilation).afterTemplateExecution.tapAsync(
        "NoncePlaceholder", 
        (data, cb) => {
          const { headTags } = data
          headTags.forEach((x) => {
            x.attributes.nonce = "**CSP_NONCE**"
          })
          cb(null, data)
        }
      )
    })
  }
}var html = new HtmlWebpackPlugin({
  title: "title",
  template: "index.ejs",
  filename: "index.html",
})const config = {
   ...
   ...
   plugins: [html, new NoncePlaceholder()]
}

This NoncePlaceholder custom plugin will now inject a nonce=”**CSP_NONCE**” to every script in the index.html file allowing it to be covered by the nginx sub_filter and converted to the allowable nonce

What about third party scripts?

Since the nonce is present in window.nonce, you can apply that nonce to any script in your app. For example, for Google Tag Manager you might have

googleTagManager.setAttribute(“src”,“https://www.googletagmanager.com/gtag/js?id=" + id)googleTagManager.setAttribute(“nonce”, window.nonce)

You will need to apply the window.nonce as a nonce attribute to any imported script or tracker.

Other directives

As you apply nonces to allow third party scripts to run, you will notice a large number of CSP errors. For example Google Analytics requires whitelist entries in img-src and connect-src. These are not covered by strict-dynamic in CSP3. Until the next draft comes out from W3C, we still need to white list all other directives. For google you can follow their guide on what needs to be white listed. For most, they lack documentation entirely, and you will just need to test the functionality to see what needs to be whitelisted. Which is one of the reasons why a report-uri is so important.

But don’t whitelist everything you see an error for! Not everything is necessary for functionality and especially services from Google, or Meta will constantly try to invade your website with trackers for their own purpose. Your CSP headers will protect your users from that, only whitelist the minimum domains you can to achieve the functionality you want.

Final Thoughts

Why was this so complicated? Why can’t __webpack_nonce__ be better documented? Why can’t it be applied in the index.html file so that the entry file can be loaded instead of failing on itself? Why do most websites have inadequate CSP policies? Why do the webpack plugins created by industry leaders lead people to create insecure policies? Why doesn’t html-webpack-plugin allow us to set a nonce attribute? There are a lot of open source opportunities here. But after spending over a week on something that should have taken a few hours, I hope this blog post can help get people on the right track and implement a solid CSP3 policy

How do you record gameplay on PC?

Record a Gameplay Video

To record a video, open the Game Bar with Windows Key + G and then click the red record button. A timer will appear at the top-right corner of your game window while it’s recording. To stop recording the window, bring up the Game Bar again and click the red stop button.

How do Youtubers record their gameplay?

You can use an internal microphone on your computer, or the mic on a gaming headset; however, if you want better, more professional sounding audio, you want to get a USB microphone. A popular choice among podcasters and many video producers on YouTube is Blue’s Snowball mic for around $70.

What do most YouTubers use to record?

YouTubers use Bandicam to make their videos

Bandicam has earned its reputation as the best game capturing and video recording software for YouTubers. It will fully satisfy both beginners and advanced users who need a tool that allows them to capture their gameplay, computer screen, system sound, and webcam/facecam.

How do you record fortnite on PC?

Launch Fortnite on your computer and click the Red Circle button to begin recording Fortnite. After that, there will be a timer on your game window. While recording Fortnite, you also can press the Camera icon to take a screenshot on your Windows 10 PC.

How do I record gameplay and audio on my computer?

Make sure install Fraps on your computer before start.

1. Plug in your microphone and headphones or your gaming headset and set audacity to record directly from your sound card.
2. Start up Fraps and begin by clicking the movies tab. …
3. Start up your game and hit record on audacity as well as in Fraps.

How do you record and stream fortnite on a PC?

Select Games from the right menu of the Nvidia GeForce Experience window. Select Fortnite from the games list and select Highlights in the top right of the window. Select the type of recording you want to make, Wins, Deaths and so on. Select Done and close Nvidia GeForce Experience.

How do you record Epic Games?

Epic Games does not currently have a way to take a screenshot. You can use the Window Screenshot feature to capture a screenshot instead. Press the Share button on the controller to capture a screenshot, Holding the Share button will capture a video.

How do I record fortnite on PC without lag?

How do I clip things with Nvidia?

When you press the Alt+F10 keyboard shortcut, ShadowPlay will save a clip of the last five minutes of gameplay to your Videos folder. With Manual mode, you can press the Alt+F9 keyboard shortcut to start manually recording a clip, then press Alt+F9 to stop the clip when you’re done recording.

How do you record fortnite on Youtube?

Does fortnite record your games?

Once everything is “on”, players will be able to record replays and view them in Fortnite. … Therefore, before reporting any player for questionable gameplay, it is best to watch the replay in Fortnite to be sure that it is a cheater and not just another highly skilled player.

Is Nvidia recording good?

Nvidia’s ShadowPlay is a solid and easy to use feature that offers fairly good performance for low- to mid-range PCs. … If you plan on using an alternative to ShadowPlay on a budget rig we’d recommend deleting the software to prevent GFE from running in the background, and dragging performance down even further.

How do I record last 30 seconds on my computer?

You can also use the Windows logo key  + Alt + G to record the last 30 seconds (or whatever time you picked) if you’ve already turned on background recording.

How do I record my screen?

Record your phone screen

1. Swipe down twice from the top of your screen.
2. Tap Screen record . You might need to swipe right to find it. …
3. Choose what you want to record and tap Start. The recording begins after the countdown.
4. To stop recording, swipe down from the top of the screen and tap the Screen recorder notification .

How is pastry made?

The usual ingredients are hot water, lard and flour, the pastry is made by heating water, melting the fat in this, bringing to the boil, and finally mixing with the flour. This can be done by beating the flour into the mixture in the pan, or by kneading on a pastry board.

What is the difference between normal cake and pastry cake?

In a nutshell, all pastries are cakes, but not all cakes are pastries. And the main difference lies in the fact that cakes involve many ingredients that are nutritious too, while pastries use only a few ingredients.

How do you cut pastry for a cake?

How do you cleanly cut a cake?

How do you professionally cut a cake?

Use a serrated knife

It seems like a straight blade would be cleaner, but actually a serrated blade cuts through cake more easily. A thin blade, like a tomato knife, is best, but a serrated bread knife also works. Use a gentle sawing motion to cut. (Here’s how to keep your knives sharp.)

How long should you leave cake in pan after baking?

When a cake is freshly baked, it needs time to set. Keep the cake in its pan and let it cool on a rack for the time the recipe specifies – usually 15-20 minutes – before attempting to remove it. Try not to let it cool completely before removing it.

Do you cut cake in half hot or cold?

The layers you‘d like to cut should be chilled, as a cold cake is much sturdier than a cake at room temperature. I like to bake my cake layers the day before and store them in the fridge.

How do you shape a cake without it falling apart?

Freezing cake:

Freezing also allows you not only to bake the cakes in advance but also to carve more intricate shapes without the cake crumbling and falling apart. How hard your cake freezes depends on the settings of your freezer. It may be necessary to let your cake defrost slightly before attempting to carve.

How do you cut and shape a cake?

How do you shape a round cake?

Instructions for Making a Heart-Shaped Cake

1. Bake a round cake.
2. Cut 1/4 from the top.
3. Cut the top curve off.
4. Flip it over and use it is a guide to cut the bottom curve off of the cake.
5. Flip it back over and put it against the bottom with the point down.
6. Trim the curves from top points (does not need to be perfect).

How do you frost a cake for beginners?

Should I put cake in fridge before icing?

Don’t Frost a Warm Cake

Baking pros in our test kitchen emphasize that it is essential to let the cake completely cool before frosting. Better yet, you can let the cake sit in the refrigerator for a while to make the process even easier.

Should I put cake in fridge after icing?

Cakes, whether kept at room temperature or in the refrigerator, should be stored airtight to keep them fresh and moist. If storing in the refrigerator, it’s best to chill the cake uncovered for about 20 minutes in the freezer or refrigerator to let the frosting harden.

Is it better to frost a cake the night before?

A: You don’t have to. Chilling cake in the fridge before frosting can make it easier to manipulate and level, but it’s not necessary. Just be sure your cake is cooled to room temperature before leveling or frosting.

Is it OK to make a cake the day before?

Un-iced: If you don’t need to ice your cake until the day, you can bake your cake at least 2-3 days ahead of time. Ideally, make an iced cake the day to keep it fresh. Refrigerated: Your cakes will last longer in the fridge, but for an event you won’t want to push it longer than about 3 days.

What do you put on a cake before icing?

How long can you keep a cake in the fridge before decorating?

Refrigerating your cakes

Kept in the fridge, cake with buttercream or ganache topping will last for 3-4 days. If the cake has custard, cream, cream cheese or fresh fruit it will last 1-2 days at most.

How is pastry made?

The usual ingredients are hot water, lard and flour, the pastry is made by heating water, melting the fat in this, bringing to the boil, and finally mixing with the flour. This can be done by beating the flour into the mixture in the pan, or by kneading on a pastry board.

What is the difference between normal cake and pastry cake?

In a nutshell, all pastries are cakes, but not all cakes are pastries. And the main difference lies in the fact that cakes involve many ingredients that are nutritious too, while pastries use only a few ingredients.

How do you cut pastry for a cake?

How do you cleanly cut a cake?

How do you professionally cut a cake?

Use a serrated knife

It seems like a straight blade would be cleaner, but actually a serrated blade cuts through cake more easily. A thin blade, like a tomato knife, is best, but a serrated bread knife also works. Use a gentle sawing motion to cut. (Here’s how to keep your knives sharp.)

How long should you leave cake in pan after baking?

When a cake is freshly baked, it needs time to set. Keep the cake in its pan and let it cool on a rack for the time the recipe specifies – usually 15-20 minutes – before attempting to remove it. Try not to let it cool completely before removing it.

Do you cut cake in half hot or cold?

The layers you‘d like to cut should be chilled, as a cold cake is much sturdier than a cake at room temperature. I like to bake my cake layers the day before and store them in the fridge.

How do you shape a cake without it falling apart?

Freezing cake:

Freezing also allows you not only to bake the cakes in advance but also to carve more intricate shapes without the cake crumbling and falling apart. How hard your cake freezes depends on the settings of your freezer. It may be necessary to let your cake defrost slightly before attempting to carve.

How do you cut and shape a cake?

How do you shape a round cake?

Instructions for Making a Heart-Shaped Cake

1. Bake a round cake.
2. Cut 1/4 from the top.
3. Cut the top curve off.
4. Flip it over and use it is a guide to cut the bottom curve off of the cake.
5. Flip it back over and put it against the bottom with the point down.
6. Trim the curves from top points (does not need to be perfect).

How do you frost a cake for beginners?

Should I put cake in fridge before icing?

Don’t Frost a Warm Cake

Baking pros in our test kitchen emphasize that it is essential to let the cake completely cool before frosting. Better yet, you can let the cake sit in the refrigerator for a while to make the process even easier.

Should I put cake in fridge after icing?

Cakes, whether kept at room temperature or in the refrigerator, should be stored airtight to keep them fresh and moist. If storing in the refrigerator, it’s best to chill the cake uncovered for about 20 minutes in the freezer or refrigerator to let the frosting harden.

Is it better to frost a cake the night before?

A: You don’t have to. Chilling cake in the fridge before frosting can make it easier to manipulate and level, but it’s not necessary. Just be sure your cake is cooled to room temperature before leveling or frosting.

Is it OK to make a cake the day before?

Un-iced: If you don’t need to ice your cake until the day, you can bake your cake at least 2-3 days ahead of time. Ideally, make an iced cake the day to keep it fresh. Refrigerated: Your cakes will last longer in the fridge, but for an event you won’t want to push it longer than about 3 days.

What do you put on a cake before icing?

How long can you keep a cake in the fridge before decorating?

Refrigerating your cakes

Kept in the fridge, cake with buttercream or ganache topping will last for 3-4 days. If the cake has custard, cream, cream cheese or fresh fruit it will last 1-2 days at most.