My site is on Apache, the host has enabled 'mod_unique_id'
My CSP runs in the root .htaccess.
My host has given me 2 lines of code to put in the CSP to make an unrecognisable base64 NONCE code each time it's needed - particularly for PayPal.
What they sent (in bold):
`
<IfModule mod_headers.c>
**Header set X-Nonce "expr=%{base64:%{reqenv:UNIQUE_ID}}"
Header set Content-Security-Policy "expr=default-src 'self'; script-src 'self' 'nonce-%{base64:%{reqenv:UNIQUE_ID}}'"**`
The 2 lines of code go in my .htaccess somewhere, I'm pretty confident about the script-src but the bit that's throwing me is the expr=default-src: - is that a new directive?
This is the Header set Content-Security-Policy "frame-ancestors 'self' twitter.com t.co;block-all-mixed-content;default-src 'unsafe-inline' https://www.(my website).com https://www.paypal.com https://www.clarity.ms https://www.google.com https://www.paypalobjects.com;script-src 'nonce-YSBmcmllbmQgaXMgYSBwZXJzb29uIHRoYXQgd2Fsa3MgaW4gd2hlbiB0aGUgb3RoZXJzIHdhbGsgb3V0'
I need someone who knows about CSP, the directives and the workings of the NONCE to help me set it up. My regular developer can't help me, my host has no idea, nor can a reputable developer whom I call on.
Anyone? Thanks in anticipation, Steve