Wt

Hi,

Greetings.

I am trying to harden our Wt application. I scan the application using https://observatory.mozilla.org .

It complains about Content Security Policy (CSP) - especially script-src.

My points are:

Is it possible to have CSP nonces configured (to use along with 'strict-dynamic' in the reverse proxy such as Apache) ? I mean let "nonce" is a configuration item. The Wt library can pick up the nonce from the config file and inject in tag?

Or is there any other option to overcome the issue (without using 'unsafe-inline' and 'unsafe-eval') in the default-src or script-src?

Note: I am not well versed with the internals of the Wt library.

Look forward your suggestions.

Best Regards
Maruthi