Generating nonces for the ASAP add-on

Generating nonces for the ASAP add-on

Suppose your website or mobile app has a CSP (Content Security Policy) with script-src (a directive that controls a set of script-related privileges). In that case, you will not be able to embed the ASAP add-on using the regular code snippet. You need to modify the code to generate and pass a nonce value to the script attribute in the ASAP code snippet.

What is a nonce?
A nonce with respect to content security policy is a word or phrase used only once, and it should be so random that they are unpredictable. For example, a nonce should be a cryptographically strong random value that is at least 128 bits in length. It is also necessary that a new nonce is generated for every page load to prevent attackers from injecting arbitrary scripts bypassing CSP.

Why should you use nonces?
When you use CSP, you will need to add a nonce to every inline script block. The nonce lets the browser know that the server intended on serving this script block only if the nonce attribute in the script tag matches the nonce value in the CSP header. This way, you can use it to detect and mitigate the likes of Cross-Site Scripting (XSS) and data injection attacks.

How to generate nonce values?
From your web server, generate a random base64-encoded string of at least 128 bits of data from a cryptographically secure random number generator. Note that you must generate nonces differently each time the page loads (but, nonce only once). Here are some examples:

Nodejs Script:

const var = require( 'crypto' );
var.randomBytes(16).toString( 'base64' );
//  '6JDFIvPbrWANKpSJ8vlv6b=='

Java Script:

String nonce = new String(DigestUtils.md5Hex(String.valueOf(new SecureRandom().nextLong())));

Python Script:

 def GetCspNonce():
     """Returns a random nonce."""
     NONCE_LENGTH = 16
     return base64.b64encode(os.urandom(NONCE_LENGTH))


Next Steps Learn more
Now that you have generated a nonce value, the next step is to:
  1. Pass the nonce value to the script-src directive of the Content-Security-Policy header (prepend nonce-).
  2. Pass the same nonce value to the script attribute in the ASAP code snippet.

    • Related Articles

    • Embedding the ASAP Add-On on Sites with a Content Security Policy

      Injection-based attacks are some of the most severe and harmful security threats that websites/web apps face. Having a Content Security Policy (CSP) is a powerful way to guard against such attacks. If your website/app has a CSP with ...

    • Working with the ASAP Add-On for the Web

      Introduction The ASAP add-on for websites makes your help center available within quick reach for your end-customers. By integrating this add-on with your website, you can provide your customers with easy access to your:  Customer support team (to ...

    • Debugging JWT-Related Errors While Configuring the ASAP Add-On

      While setting up an ASAP add-on for your web/mobile app, you might encounter an error related to JSON Web Token (JWT) configuration. It is essential to debug this error because user authentication in the ASAP add-on is possible only through JWTs.  ...

    • Working with the ASAP SDK for iOS

      SDK v2.0 Introduction The ASAP SDK for iOS makes help available within quick reach for the end-users of your iOS app. Using this SDK, you can create and customize an add-on that resides within your app and provides end-users with easy access to your: ...

    • JWT for Authenticating Users in the ASAP Add-Ons

      Introduction Based on whether they choose to login to the ASAP add-on or not, end-users can be classified as guest users and authenticated users. Those who choose to not login are called guest users and those who choose to login are called ...