security: add CSP nonce attributes to inline scripts and styles

Added @cspnonce to all inline <script> and <style> tags in layout, explorer, and register views. Enabled nonce generation in headers config. unsafe-inline kept as fallback. Nonces will activate after container restart when the Headers Boot registers the Blade directive. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 10:22:38 +01:00 · 2026-04-04 10:22:38 +01:00 · 8a21996add
commit 8a21996add
parent a04c5a226d
4 changed files with 5 additions and 5 deletions
--- a/app/Mod/Explorer/Views/index.blade.php
+++ b/app/Mod/Explorer/Views/index.blade.php
@ -77,7 +77,7 @@
        <a href="/names">Name directory &rarr;</a>
    </div>

-    <script>
+    <script @cspnonce>
    (function() {
        var feed = document.getElementById('feed-entries');
        var dot = document.getElementById('feed-dot');
--- a/app/Mod/Names/Views/register.blade.php
+++ b/app/Mod/Names/Views/register.blade.php
@ -42,7 +42,7 @@
    </div>
 </div>

-<script>
+<script @cspnonce>
 (function() {
    var input = document.getElementById('name-input');
    var btn = document.getElementById('check-btn');
--- a/app/Website/Lethean/Views/layout.blade.php
+++ b/app/Website/Lethean/Views/layout.blade.php
@ -48,7 +48,7 @@
    </script>
    @endverbatim
    @yield('schema')
-    <style>
+    <style @cspnonce>
        :root {
            --bg: #0a0e17; --surface: #111827; --border: #1f2937;
            --text: #e5e7eb; --muted: #9ca3af; --accent: #818cf8;
@ -96,7 +96,7 @@

        code { background: var(--surface); padding: 0.125rem 0.375rem; border-radius: 0.25rem; font-size: 0.85em; }
    </style>
-    <script>window.LTHN_API = '{{ config('chain.api_url', '') }}';</script>
+    <script @cspnonce>window.LTHN_API = '{{ config('chain.api_url', '') }}';</script>
 </head>
 <body>
    <nav>
--- a/config/headers.php
+++ b/config/headers.php
@ -82,7 +82,7 @@ return [
        // Enable nonce-based CSP. Disabled by default because Livewire and
        // Alpine inject inline scripts/styles that cannot carry nonces.
        // Enable only if your app does not use Livewire.
-        'nonce_enabled' => env('SECURITY_CSP_NONCE_ENABLED', false),
+        'nonce_enabled' => env('SECURITY_CSP_NONCE_ENABLED', true),

        // Nonce length in bytes (16 = 128 bits, recommended minimum)
        'nonce_length' => env('SECURITY_CSP_NONCE_LENGTH', 16),