Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages - General Discussions / CSP script-src has 'no...
Power Pages - General Discussions
Suggested answer

CSP script-src has 'nonce' enabled but still has sha256-...

(1) ShareShare
ReportReport
Posted on by apangeles_ 27
Hi community,
 
I'd like to ask for clarification as to why this is happening. In our CSP, I placed the recommended value, script-src 'self' content.powerapps.com 'nonce'. Expecting that it will generate a nonce value in the script and CSP, it did. But our IT team was not okay with the fact that there were sha256-... hashes in the CSP. Like I said, only 'self', content.powerapps.com, and 'nonce' are placed inside the CSP value. Why are these sha256 values here? And should our IT team be worried? I told them that these wouldn't make the website insecure, having the values present. But what they want is to not have the hashing method present, which is SHA-256. What to do? 
 
Thank you in advance, and regards,
Adrian
Categories:
General
  • Suggested answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 9,342 Most Valuable Professional on at
    CSP script-src has 'nonce' enabled but still has sha256-...
    I would keep putting pressure on Microsoft here to provide clarification.

    Security is a hot topic and they should give it some attention, but that's just my opinion.
  • apangeles_ Profile Picture
    apangeles_ 27 on at
    CSP script-src has 'nonce' enabled but still has sha256-...
     
    This is also what we suspect. Since if we enable nonce either manual input in the site settings, or enabling it in Power Pages' website maker, the backend script changes to include nonces in them. When you remove the nonce, it returns back to the original script. We suspect that this change also brings the setting to inject these SHA-2 hashes in the website and are a functional or stylistic requirement by Power Pages for it to run. 
     
    The complication here is, you're correct, that there is no documentation to support this claim. I've already opened a ticket with Microsoft but I've yet to receive a response from them. I hope it all goes well. 
     
    Without this reference from Microsoft, we do not have any justification for our IT security team to let us pass their VAPT testing. It's already been a frustrating set of weeks trying to figure things out. 
     
    Thanks for your support, @oliver.rodrigues
     
    Could you advise us if our assumption is correct?
     
    Regards,
    apangeles_
  • Suggested answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 9,342 Most Valuable Professional on at
    CSP script-src has 'nonce' enabled but still has sha256-...
    the sha-256 hash is generate automatically by Power Pages
     
    My understanding is that they are used internally and should not represent any security concern here. I can't find anything official from Microsoft on what they are used for, but I wouldn't be worried here.
     
    Also note that your actual scripts won't have the nonce value by default in the HTML code, that's because they are rendered server-side before the nonce value is generated, this is also expected 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Paul Stork – Community Spotlight

We are honored to recognize Paul Stork as our July 2025 Community…

Congratulations to the June Top 10 Community Leaders!

These are the community rock stars!

Announcing the Engage with the Community forum!

This forum is your space to connect, share, and grow!

Leaderboard > Power Pages

#1
Lucas001 Profile Picture

Lucas001 60 Super User 2025 Season 1

#2
Fubar Profile Picture

Fubar 55 Super User 2025 Season 1

#3
surya narayanan Profile Picture

surya narayanan 35

Last month Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals

Product updates

Microsoft Power Platform Community release plans