Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities - Lets Get Started!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages - Security / Power Pages : How to s...
Power Pages - Security
Suggested answer

Power Pages : How to set dynamic nonce in CSP headers

(1) ShareShare
ReportReport
Posted on by VKartik 16
Hi Team,
 
As a part of security we were advised to add CSP headers in our Power Page application
In CSP headers when we add script-src tag , few core functionalities of our application stops working.
This is because script-src will not allow inline scripts to execute.
 
This can be overcome by using nonce tag which need to be enabled using Power Page management app.
But what we noticed is nonce tag is getting added to inline scripts with dynamically generated value.
 
This dynamically generated value is getting changed with every request.
 
Do we have any way to configure dynamic nonce value in Power Page Management security settings ?

Following is the snapshot of dynamically generated nonce value

Categories:
Settings
  • MikiC Profile Picture
    MikiC 2 on at
    Power Pages : How to set dynamic nonce in CSP headers
    Hi,
     
    Is this the right way to use nonce?
     
    Site setting
     
     
    Some javascript on my entity list:
     
     
    Script in Developer tools. Nonce has been added but it has no value.
     
     
    No errors in console.
     
    It bothers me that there is no value.
     
    Best regards
    Miki
  • VKartik Profile Picture
    VKartik 16 on at
    Power Pages : How to set dynamic nonce in CSP headers
    Hi 

    Thanks for your response
    I tried adding 'self' to script-src but that also doesn't help and i get the same error.
    Also i synced the settings after adding
    Following is the screenshot

  • Suggested answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 9,315 Most Valuable Professional on at
    Power Pages : How to set dynamic nonce in CSP headers
    My understanding here is that you don't need to worry about the dynamic token that is generated at all. The Portal server-side code should take care of ensuring that the JS code works (basically the nonce should match the token in your inline JS).
     
    Are you missing a "self" there in your script-src?
    for example:
     
    script-src 'self' 'nonce'

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities - Lets Get Started!

Quick Links

Michael Gernaey – Community Spotlight

We are honored to recognize Michael Gernaey as our June 2025 Community…

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Announcing the Engage with the Community forum!

This forum is your space to connect, share, and grow!

Leaderboard >

Last month Overall leaderboard

Featured topics

Product updates

Microsoft Power Platform Community release plans