I’m trying to set up a strict Content Security Policy (CSP) for Grafana when it’s proxied through Apache. CSP requires that all inline scripts include a nonce. I have successfully configured Apache to generate a unique nonce using mod_unique_id
and pass it as a custom HTTP header (X-Nonce
) in the response.
However, I’m facing the following issues:
- Grafana includes
<script nonce="">
in the HTML, but the value is not dynamically replaced with the nonce from the proxy. - Attempts to use Apache’s
mod_rewrite
,mod_substitute
, ormod_sed
to inject the nonce have failed.
Steps Taken:
- Enabled
mod_unique_id
and verified that theUNIQUE_ID
is being generated successfully. - Configured
RewriteRule
to setMY_NONCE
environment variable:
in apache
RewriteEngine On
RewriteRule .* - [E=MY_NONCE:%{UNIQUE_ID}]
- Used
Substitute
to replace the nonce in the response:
in apache
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|<script nonce=\"\">|<script nonce=\"%{MY_NONCE}e\">|ni"
- Added a custom HTTP header for debugging:
in apache
Header set X-Nonce "%{MY_NONCE}e"
Observed Behavior:
- The
X-Nonce
header is correctly set with a unique value. - The
Substitute
directive is not resolving%{MY_NONCE}e
, and the resulting HTML contains:
html
<script nonce="%{MY_NONCE}e">
Expected Behavior:
- The nonce should be dynamically inserted into the HTML:
<script nonce="Z32Fn8lRIGOvwlHGQlsdZAAAAAA">
Questions:
- How can I dynamically inject the nonce into Grafana’s
<script>
tags? - Is there a recommended way to modify Grafana’s behavior to read and use the
X-Nonce
header value? - Are there known workarounds or plugins to support CSP with Grafana behind an Apache proxy?