web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Power Pages : How to s...
Power Pages
Suggested Answer

Power Pages : How to set dynamic nonce in CSP headers

(1) ShareShare
ReportReport
Posted on by VKartik 18
Hi Team,
 
As a part of security we were advised to add CSP headers in our Power Page application
In CSP headers when we add script-src tag , few core functionalities of our application stops working.
This is because script-src will not allow inline scripts to execute.
 
This can be overcome by using nonce tag which need to be enabled using Power Page management app.
But what we noticed is nonce tag is getting added to inline scripts with dynamically generated value.
 
This dynamically generated value is getting changed with every request.
 
Do we have any way to configure dynamic nonce value in Power Page Management security settings ?

Following is the snapshot of dynamically generated nonce value

Categories:
Security
I have the same question (0)
  • Suggested answer
    oliver.rodrigues Profile Picture
    oliver.rodrigues 9,368 Most Valuable Professional on at
    My understanding here is that you don't need to worry about the dynamic token that is generated at all. The Portal server-side code should take care of ensuring that the JS code works (basically the nonce should match the token in your inline JS).
     
    Are you missing a "self" there in your script-src?
    for example:
     
    script-src 'self' 'nonce'

     

  • VKartik Profile Picture
    VKartik 18 on at
    Hi 

    Thanks for your response
    I tried adding 'self' to script-src but that also doesn't help and i get the same error.
    Also i synced the settings after adding
    Following is the screenshot

  • MikiC Profile Picture
    MikiC 2 on at
    Hi,
     
    Is this the right way to use nonce?
     
    Site setting
     
     
    Some javascript on my entity list:
     
     
    Script in Developer tools. Nonce has been added but it has no value.
     
     
    No errors in console.
     
    It bothers me that there is no value.
     
    Best regards
    Miki

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Fubar Profile Picture

Fubar 74 Super User 2025 Season 2

#2
Jerry-IN Profile Picture

Jerry-IN 55

#3
sannavajjala87 Profile Picture

sannavajjala87 31

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans