Plug_content_security_policy - Generate CSP headers with support for CSP Level 2 nonces

Hey everyone- I’ve released a new version of my library plug_content_security_policy, which aids in the generation of CSP headers for Plug/Phoenix applications.

Setting a Content Security Policy header for your application helps mitigate the risk of cross-site scripting and malicious asset injection by letting you control what sorts of requests are allowed from a page. See the link above for more info and examples.

Version 0.2 of PlugContentSecurityPolicy adds support for report-only mode, which you can use to test your policy for violations without breaking those requests on your site.


Thank you so much for creating and open sourcing this.

  1. Could you please include a small video walkthrough of the setup steps in a demo web app? I am trying to set it up and getting stuck while adding the module to pipeline.

  2. Could you please elaborate if this module also adds the nonces to the script tag? Or does it just generate the nonces and you have to rewrite all the inline scripts to include the generated nonce?

I want all of my inline scripts to have following format