By using AWS re:Post, you agree to the Terms of Use

How To Inject A Nonce Into CoudFront Distribution For My Content Security Policy

0

Hello All,

I am building a new website from scratch. I want to comply with the latest CSP recommendations.

Using Nginx on an EC2 instance that serves as my origin. I have configured Nginx to inject a nonce into me Headers and the various scripts and styles. I have moved al in-line stuff to style sheets and js files. I used this tutorial: --https://krvtz.net/posts/easy-nonce-based-content-security-policy-with-nginx.html

All works great when I access the server directly via cdn.mywebsite.com. I also use the same subdomain, cdn.mywebsite.com as the source for my CloudFront Distribution. I then invalidate the whole, /*, distribution. When I access the site via mywebsite.com, which is set up via Rout 53 to fetch from CloudFront, everything breaks.

I view the source code and see that the nonce has been rewritten to "" instead of the nice and secure string that I get when directly accessing via the origin.

I can figure things out but am lost. Do I need a Lambada function or something else?

Hugs and kisses for any help provided,

JCU

1 Answer
0

Hi,

Thanks for your question and it seems we missed on our backlog. I am really sorry for that. Can you please confirm if you still have issues?

I believe that this issues it is related to CORS - cross-origin resource sharing How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront? -> https://aws.amazon.com/premiumsupport/knowledge-center/no-access-control-allow-origin-error/

Looking forward for hearing back from you.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions