Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Nevena Nikolic 5 posts 25 karma points
    Sep 29, 2017 @ 09:02
    Nevena Nikolic

    Hello everyone,

    we are trying to implement security headers on our website and one of them is Content-Security-Policy. I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.

    Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.

    Is there any easy workaround for this issue that we are facing?

    Kind Regards

  • Sebastiaan Janssen 5052 posts 15505 karma points MVP admin hq
    Sep 30, 2017 @ 10:06
    Sebastiaan Janssen

    I wrote about this in depth here:

    Basically you need to ignore umbraco paths like so:

     <location path="umbraco">
       <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
         <remove name="X-Frame-Options" />
         <add name="X-Frame-Options" value="SAMEORIGIN" />
         <remove name="Content-Security-Policy" />
         <add name="Content-Security-Policy" value="default-src 'self' *;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;font-src 'self';" />
  • Gary 80 posts 377 karma points
    Oct 28, 2019 @ 14:24

    Hi Sebastiaan,

    Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.

    Thank you :)

    Kind Regards,


  • Nevena Nikolic 5 posts 25 karma points
    Oct 03, 2017 @ 13:05
    Nevena Nikolic

    Hi Sebastiaan,

    this worked thank you a lot!

  • Jonathon Cove 6 posts 27 karma points
    1 day ago
    Jonathon Cove

    If anyone finds this (like I did) and wants to add nonce in the Content-Security-Header to Umbraco v8, it can be done with a mixture of Umbraco UserComposers, OWIN, and HTML Helpers:

    public class NonceComposer : IUserComposer
        public void Compose(Composition composition)
            UmbracoDefaultOwinStartup.MiddlewareConfigured += UmbracoDefaultOwinStartup_MiddlewareConfigured;
        private void UmbracoDefaultOwinStartup_MiddlewareConfigured(object sender, OwinMiddlewareConfiguredEventArgs e)
        private void SetupNonce(IAppBuilder app)
            app.Use((context, next) =>
                var rng = new RNGCryptoServiceProvider();
                var nonceBytes = new byte[32];
                var nonce = Convert.ToBase64String(nonceBytes);
                context.Set("ScriptNonce", nonce);
                //annoyingly, we can't get the current headers here
                string policy = string.Format(
                    " default-src 'self' 'nonce-{0}' * * * * * *;" +
                    " script-src 'self' 'nonce-{0}' * *;" +
                    " style-src 'self' 'nonce-{0}' * * * * * *"
                , nonce);
                context.Response.Headers.Set("Content-Security-Policy", policy);
                return next();

    Html Helper

    public static class NonceHelper
        public static IHtmlString GetTheNonce(this HtmlHelper helper)
            var owinContext = helper.ViewContext.HttpContext.GetOwinContext();
            return MvcHtmlString.Create(owinContext.Get<string>("ScriptNonce"));

    You can then use it in .cshtml files like this:

    <script nonce="@Html.GetTheNonce()">

    (As long as you add a using statement at the top of the .cshtml file for whichever namespace the NonceHelper sits in)

    You should also remove any settings of the Content-Security-Header in the .config files. It's technically possible to combine them, but I couldn't get it to work properly.

Please Sign in or register to post replies

Write your reply to: