Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes

Summary

Netsparker detected that the nonce value declared in CSP is not within single quotes.

Impact

When nonce value is not used within single quotes, it will be considered as a part of the resource URL. This will cause relevant script block to not run.

Remediation

Use nonce values within single quotes, i.e.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa';

Classifications

CWE-16, ISO27001-A.14.2.5, WASC-15, OWASP 2013-A5, OWASP 2017-A6

Further Reading

Content Security Policy (CSP) Explained

Netsparker Security Insights

Using Content Security Policy (CSP) to Secure Web Applications
Remote Hardware Takeover via Vulnerable Admin Software
Negative Impact of Incorrect CSP Implementations
Leverage Browser Security Features to Secure Your Website