By using AWS re:Post, you agree to the Terms of Use

How To Inject A Nonce Into CoudFront Distribution For My Content Security Policy


Hello All,

I am building a new website from scratch. I want to comply with the latest CSP recommendations.

Using Nginx on an EC2 instance that serves as my origin. I have configured Nginx to inject a nonce into me Headers and the various scripts and styles. I have moved al in-line stuff to style sheets and js files. I used this tutorial: --

All works great when I access the server directly via I also use the same subdomain, as the source for my CloudFront Distribution. I then invalidate the whole, /*, distribution. When I access the site via, which is set up via Rout 53 to fetch from CloudFront, everything breaks.

I view the source code and see that the nonce has been rewritten to "" instead of the nice and secure string that I get when directly accessing via the origin.

I can figure things out but am lost. Do I need a Lambada function or something else?

Hugs and kisses for any help provided,


1 Answer


Thanks for your question and it seems we missed on our backlog. I am really sorry for that. Can you please confirm if you still have issues?

I believe that this issues it is related to CORS - cross-origin resource sharing How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront? ->

Looking forward for hearing back from you.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions