RUM | CSP | Nonce or Hash, how to add to JavaScript tag (and CSP header) manually

fstekelenburg · ‎26 May 2021

Due to the increasing security contraints of our customers we are looking at the impact and requirements to have RUM working with CSP applied, as also described in Modify Content Security Policy for RUM | Dynatrace Documentation.

Unsafe_inline is generally still used and set in CSP, however we have to move to make use of Nonce or Hash instead, which, according to the documentation, for Auto Injection yet not supported.

We have a case where, using Manual Injection by using JavaScript tag in a Managed environment, we need to investigate to use Nonce instead. According to Modify Content Security Policy for RUM | Dynatrace Documentation, "Nonce can be added manually to the script tag and the CSP header must be set up accordingly." However, there aren't any further pointers how to accomplish that.
How do we add Nonce to the JavaScript tag?

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner

fstekelenburg · ‎01 Jun 2021

Any pointers on how to correctly define the CSP for Agentless RUM manual insertion of Managed are highly appreciated. Taking in account that the URL of the Cluster ActiveGates behind a LB+WAF are within the customer's own domain.

A "Content-Security-Policy: default-src 'self' trusted.com *.trusted.com" is thinkable, if the CAGs reside at cag.trusted.com? What if the use of hash or nonce is demanded?

Nobody encountered the contraint yet, to prevent the use of unsafe-inline in CSP, if that is applicable at all ?

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner