Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes

Summary

Netsparker detected that the nonce value declared in CSP is not within single quotes.

Impact

When nonce value is not used within single quotes, it will be considered as a part of the resource URL. This will cause relevant script block to not run.

Remediation

Use nonce values within single quotes, i.e.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa';

Classifications

OWASP 2013-A5

Further Reading

Content Security Policy (CSP) Explained

Netsparker Security Insights

Remote Hardware Takeover via Vulnerable Admin Software
Negative Impact of Incorrect CSP Implementations
Leverage Browser Security Features to Secure Your Website
Content Security Policy (CSP) Explained