Click here to Skip to main content
15,400,433 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
We are having a web application built on platform. We have lot of inline scripts and AJAX tool kit in the application. One of our client want to implement content-security-policy because they want to host application on public url. after ZAP scan we have got vapt of "unsafe-inline".

After lot of research we found solution like nonce/hash. We tried implementing that as well but in the nonce some JavaScript was not working which we identified.

Is there any other way to remove this VAPT.?

What I have tried:

1) Tried by adding tag on web.config script-src 'sefl' 'nonce SOME VALUE' and used nonce in script tag on the .aspx page but didnt work.

Now we are trying to put all the scripts in single js file.

What will be the chances that after replacing this the vapt will remove.?
Richard Deeming 20-Jun-22 7:56am
A NONCE is a Number used ONCE. Using the same static value on every request defeats the purpose.
Richard Deeming 20-Jun-22 7:59am
Also, if you're using WebForms, you'll find it emits a lot of inline scripts which you can't annotate to comply with a CSP that doesn't allow unsafe inline scripts. For example, many controls will have an onclick attribute to wire up an event handler.

If you don't want to allow unsafe inline scripts, you'll probably need to rewrite the application in a different framework which gives you better control over the generated HTML.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900