web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages - Security / For CSP's 'nonce', wha...
Power Pages - Security
Suggested answer

For CSP's 'nonce', what is Power Pages' server?

(3) ShareShare
ReportReport
Posted on by apangeles_ 35
Hi community, 
 
I'm building a report regarding the benefits of enabling 'nonce' in the script-src of Power Pages' CSP settings. Our IT team is enforcing that hashes shouldn't be visible when inspecting the website because it might cause security issues when we deploy the website. But this is clearly wrong, based on my understanding, as the hash generated by 'nonce' is unique every single time. 
 
Reading forums and articles about this, when nonce is enabled it enables inline scripts and events in our website. But I want to further understand how the hashes are matched from the generated nonce and the server. These forums and articles do mention server a lot, what is this server? What server is Power Pages operating on? Is the inline scripts and event hashes located in the server? I want to understand how the generated nonce would match the ones in the server and how hackers may have a hard time hacking our site. 
 
Could anyone brief me on this? Could you provide more helpful articles or forums?
 
I apologize in advance if my second paragraph is disorganized list of questions. I hope you get what I want to know. Thank you!
Categories:
General
Settings
I have the same question (0)
  • Suggested answer
    Lucas001 Profile Picture
    Lucas001 2,334 Super User 2025 Season 2 on at
    For CSP's 'nonce', what is Power Pages' server?
    Hi,
     
    one of the best articles for your case and even more for understanding would be that: https://web.dev/articles/strict-csp
     
    The most important part would be this one:

    "With a nonce-based CSP, you generate a random number at runtime, include it in your CSP, and associate it with every script tag in your page. An attacker can't include or run a malicious script in your page, because they would need to guess the correct random number for that script. This only works if the number isn't guessable, and is newly generated at runtime for every response. Use a nonce-based CSP for HTML pages rendered on the server. For these pages, you can create a new random number for every response."

    If not defined correct you will see a similar picture as in step 3.

    PowerPages is hosted in Azure and a lot of security is already in place for you. But those servers which you can also see in some cases when errors occur are the once creating you nonce hash. Each PowerPage also has an AppRegistration in you Azure Infrastructure. That's why you need the specific role in Azure to create PowerPages. 

    Hope that helps.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Tom Macfarlan – Community Spotlight

We are honored to recognize Tom Macfarlan as our Community Spotlight for October…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 79 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 56

#3
dgray304 Profile Picture

dgray304 39

Last 30 days Overall leaderboard

Featured topics

Product updates

Microsoft Power Platform Community release plans