This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RUM | CSP | Nonce or Hash, how to add to JavaScript tag (and CSP header) manually

fstekelenburg
DynaMight Pro
DynaMight Pro

‎26 May 2021 10:55 AM - last edited on ‎01 Jun 2021 11:05 AM by

Due to the increasing security contraints of our customers we are looking at the impact and requirements to have RUM working with CSP applied, as also described in Modify Content Security Policy for RUM | Dynatrace Documentation

 

Unsafe_inline is generally still used and set in CSP, however we have to move to make use of Nonce or Hash instead, which, according to the documentation, for Auto Injection yet not supported.

We have a case where, using Manual Injection by using JavaScript tag in a Managed environment, we need to investigate to use Nonce instead. According to Modify Content Security Policy for RUM | Dynatrace Documentation, "Nonce can be added manually to the script tag and the CSP header must be set up accordingly." However, there aren't any further pointers how to accomplish that.
How do we add Nonce to the JavaScript tag?

Kind regards, Frans Stekelenburg                 Certified Dynatrace Associate | Cegeka.com, Dynatrace Partner
Reply
3 REPLIES 3

fstekelenburg
DynaMight Pro
DynaMight Pro

‎01 Jun 2021 11:12 AM - edited ‎01 Jun 2021 11:13 AM

Any pointers on how to correctly define the CSP for Agentless RUM manual insertion of Managed are highly appreciated. Taking in account that the URL of the Cluster ActiveGates behind a LB+WAF are within the customer's own domain.

A "Content-Security-Policy: default-src 'self' trusted.com *.trusted.com" is thinkable, if the CAGs reside at cag.trusted.com? What if the use of hash or nonce is demanded?

Nobody encountered the contraint yet, to prevent the use of unsafe-inline in CSP, if that is applicable at all ?

Kind regards, Frans Stekelenburg                 Certified Dynatrace Associate | Cegeka.com, Dynatrace Partner
0 Kudos
Reply

AntonioSousa
DynaMight Guru
DynaMight Guru
In response to fstekelenburg

‎29 Oct 2025 08:44 PM

Yes, we are in 2025, with still not a solution yet.

Not to say that it is not that easy to address, but Dynatrace doesn't have a response for this.

In the past, I had one case where I had to dump RUM because of this issue. At the moment I have a special case where I'm going to try something: get the hash, insert it into CSP, and configure Dynatrace so RUM version does not get updated...

Antonio Sousa
0 Kudos
Reply

peteh
Observer

‎17 Oct 2025 02:43 AM

This is also a limitation we are facing - that our software developed in house, has requirement from our customers to protect against <script> injections, by using a nonce token and strict-dynamic Content-Security-Policy

Automatic injection from OneAgent lacks the nonce token, requiring us to explore other injection avenues for ruxitagent

0 Kudos
Reply
Ask a question

Featured Posts