wyday / mod_cspnonce Goto Github PK

View Code? Open in Web Editor NEW

20.0 20.0 6.0 50 KB

Apache2 module that makes it dead simple to add "nonce" values to the CSP (content security policy) headers

License: Apache License 2.0

C 100.00%

mod_cspnonce's People

Contributors

Stargazers

Watchers

Forkers

ppryor63 dirkx celane cleyfaye

mod_cspnonce's Issues

Binary can't be used in Apache 2.2.29 on Windows

I have an old system running Apache 2.2.29 (Win64) on Windows Server 2012. The pre-compiled module will cause error while starting Apache. The message reads:
httpd: Syntax error on line 508 of D:/Apache/conf/httpd.conf: API module structure 'cspnonce_module' in file D:/Apache/modules/mod_cspnonce.so is garbled - expected signature 41503232 but saw 41503234 - perhaps this is not an Apache module DSO, or was compiled for a different Apache version?

What should I do? If I have to compile it by myself, is there any options I need to change?

Regards,
Gary

version 1.4 just returning error 500 in apache 2.4.18

Hello,

I just installed the mod_cspnonce 1.14 in Ubuntu server 16.04.07 LTS with apache 2.14.18 and apparently the cspnonce module cannot generate the nonce and makes the apache return error 500. How to solve this?
Thank you.

nonce value of 128-bits

Hi, is it possible to increase the nonce size?
This validator: https://cspvalidator.org/ says that CSP specification recommends nonce of 128-bits (before encryption)

Works for main domain but not for subdomain

Hi,

The module always works fantastic for our main.domain, but now we deployed an admin panel on admin.main.domain and in html response it loads ...<script src="/js/app.bec01de2.js" nonce=""></script>.... instead of f.e. nonce=nonce-3uR3CIhP/fWxT3n/Tefw35rO which I can see in the header. Any idea what might be causing this strange behaviour?

Apache/2.4.54 (Ubuntu 22.04)
CSP deployed in main apache.conf file

Compilation error with apxs [Linux RHEL]

Hi,

Using apache 2.4 and have apxs installed.
upon compilation, we are seeing errors with TIME_UTC. Looking online it seems there have been some issues with this and MACOS, but we are using RedHat, so i would assume we wouldn't have issues with time.h

please see error from commandline.

Could you please assist
Thank You

CSP Nonce gives null value

I am getting null value for the CSP Nonce. Is any particular reason for that?

httpd version - Apache/2.4.6 (CentOS)
kernal version - 5.4.168-1.el7.elrepo.x86_64
os name and its version - CentOS Linux 7 (Core)

Errors using "apxs" on macOS

Hi there!

Thanks for this project, looks really nice.

I'm having issues building this module, I'm using XAMPP on macOS, so I run:

/Applications/XAMPP/xamppfiles/bin/apxs -ci /my/path/to/mod_cspnonce.c

And it returns some errors and warnings:

/my/path/to/mod_cspnonce.c:83:9: error:
      redefinition of 'r' with a different type: 'int' vs 'const request_rec *' (aka
      'const struct request_rec *')
    int r;
        ^
/my/path/to/mod_cspnonce.c:51:52: note: previous
      definition is here
const char * GenSecureCSPNonce(const request_rec * r)
                                                   ^
/my/path/to/mod_cspnonce.c:86:9: warning: implicit
      declaration of function 'timespec_get' is invalid in C99
      [-Wimplicit-function-declaration]
    if (timespec_get(&ts, TIME_UTC) == 0)
        ^
/my/path/to/mod_cspnonce.c:86:27: error: use of
      undeclared identifier 'TIME_UTC'
    if (timespec_get(&ts, TIME_UTC) == 0)
                          ^
/my/path/to/mod_cspnonce.c:94:7: warning:
      incompatible integer to pointer conversion assigning to 'const request_rec *'
      (aka 'const struct request_rec *') from 'long' [-Wint-conversion]
    r = random();
      ^ ~~~~~~~~
/my/path/to/mod_cspnonce.c:98:7: warning:
      incompatible integer to pointer conversion assigning to 'const request_rec *'
      (aka 'const struct request_rec *') from 'long' [-Wint-conversion]
    r = random();
      ^ ~~~~~~~~
/my/path/to/mod_cspnonce.c:103:7: warning:
      incompatible integer to pointer conversion assigning to 'const request_rec *'
      (aka 'const struct request_rec *') from 'long' [-Wint-conversion]
    r = random();
      ^ ~~~~~~~~
4 warnings and 2 errors generated.
apxs:Error: Command failed with rc=65536

Is there anything I'm missing here?

Hope this could be solved soon, and thanks again for this module!

Not really an issue about the code... but getting it enabled is a problem

I'm having some issues enabling this within Plesk Obsidian running on Ubuntu 22.04.1 LTS. The option under Apache modules is there after compiling but when enabling it I get an error which I cant find any info anywhere on the internet, I'd really appreciate any tips on getting it working.

I get this error: Error: START httpd_modules_ctl --enable cspnonce -e Load file /etc/apache2/mods-available/cspnonce.load for a2enmod not found resource(s) deleted

I can see that the .so file is copied over but within /etc/apache2/mods-available/ there's no cspnonce.load, what could I have done wrong?

EDIT: If anyone else is new to this like me and having the same problem I figured it out an hour or so later, I just created a new file once I knew how the other apache modules looked. Using nano, just create a new file called cspnonce.load and paste LoadModule cspnonce_module /usr/lib/apache2/modules/mod_cspnonce.so and voila, it will work!

Is there any Windows Library for Win 64 VS15?

Hello,
I'm using laragon with PHP 7.4 and Apache 2.4.35 (VS15) but your latest library for Windows is VS16, is there any version that can match with my apache? Thank you!

mod_cspnonce.so module for wamp not working

Hi,

As documented, I build the module using Visual Studio. When I included the generated mod_cspnonce.so file, Apache service didn't start. Any guess what went wrong?

Apache Version: 2.4.35
Wamp Version: 3.1.4

Regards
Ankit

Failing of random generator may slip through

Generation of randomness is not very secure

Ideally a cryptographic random generator should be used. Esp. in a multi homed setup.