How to implement content security policy with NWebsec

Question

I am implementing content security policy in Asp.Net application.(.Net Framework 3.5). I have installed NWebSec (4.0) through nuget packages and added blow configuration in web.config.

<nwebsec>
 <httpHeaderSecurityModule>
    <securityHttpHeaders>
    <content-Security-Policy enabled="true">
          <default-src self="true"/>
          <script-src self="true" unsafeInline= "true">
             <add source="*.abc.com" />
              </script-src>
    </content-Security-Policy>
   </securityHttpHeaders>
  </httpHeaderSecurityModule>
 </nwebsec>

The above configuration generates below header

Content-Security-Policy: default-src ‘self’; script-src ‘self’ 'unsafe-inline' *.abc.com

But I believe, the above header is missing 'nonce' tag it must be something like

Content-Security-Policy: default-src ‘self’; script-src ‘self’ 'unsafe-inline' 'nonce-Koegbg1128522' *.abc.com

Why am I not getting this 'nonce' tag in header?

Answer 1

I'm not quite sure why you are under the impression that a nonce should be added by the provided configuration. AFAIK, If you want to use nonce with NWebSec, you have to also use the htmlHelper CspStyleNonce function like such

<script @Html.CspScriptNonce()>document.write("Hello world")</script>

Or if you prefer to use bundling

@Scripts.RenderFormat("<script type=\"text/javascript\" src=\"{0}\" " + @Html.CspScriptNonce() + "></script>","<Path to script bundle>")

More information could be found on the official NwebSec documentation