feat(security): implement nonce-based CSP to remove unsafe-inline and unsafe-eval from current policy#4424
Open
bogdanmariusc10 wants to merge 5 commits intomainfrom
Conversation
…e-eval - Remove 'unsafe-inline' and 'unsafe-eval' from Content-Security-Policy - Implement cryptographically secure nonce generation per request (secrets.token_urlsafe(16)) - Add csp_nonce Jinja2 global function for template access - Update 19 inline scripts across 13 templates with nonce attributes - Fix CSP consistency test to validate structure instead of exact match - Add type annotations to new helper functions Addresses pen testing findings: - Prevents XSS attacks via inline script injection - Blocks dynamic code execution (eval, Function constructor) - Follows OWASP CSP best practices Files modified: - mcpgateway/middleware/security_headers.py (CSP implementation) - mcpgateway/main.py (Jinja2 global registration) - mcpgateway/version.py (fallback template support) - tests/security/test_security_headers.py (updated CSP test) - 13 HTML templates (added nonce attributes) All tests passing, code formatted and linted. Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
bogdanmariusc10
requested review from
brian-hussey,
crivetimihai,
kevalmahajan and
madhav165
as code owners
bogdanmariusc10
added
enhancement
added 4 commits
April 24, 2026 12:32
Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
- Remove unsafe-inline from script-src (prevents XSS attacks) - Remove unsafe-eval entirely (blocks dynamic code execution) - Implement cryptographically secure nonce generation (128-bit entropy) - Configure HTMX 2.0.3 with htmx.config.inlineScriptNonce - Add 'unsafe-hashes' to script-src for inline event handlers - Keep 'unsafe-inline' for style-src only (Alpine.js requirement) Addresses pentesting report findings on CSP misconfiguration. Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔗 Related Issue
Closes #4330
Jira Issue: https://jsw.ibm.com/browse/ICACF-26
📝 Summary
This PR implements a comprehensive Content Security Policy (CSP) solution that removes
unsafe-inlineandunsafe-evaldirectives, addressing security vulnerabilities identified in the pentesting report.What changed:
unsafe-inlinefromscript-srcdirective (prevents XSS attacks)unsafe-evalentirely from CSP (blocks dynamic code execution)secrets.token_urlsafe(16)(128 bits of entropy per request)'unsafe-hashes'toscript-srcfor inline event handlers (onclick, onload, etc.)htmx.config.inlineScriptNonce'unsafe-inline'forstyle-srconly (required for Alpine.js dynamic inline styles)Why this matters:
🏷️ Type of Change
🧪 Verification
make black isort autoflakemake ruff✅ Checklist
make black isort pre-commit)📓 Notes
Security Impact
Before:
After:
'unsafe-hashes'style-src 'unsafe-inline'Implementation Details
Core CSP Implementation (
mcpgateway/middleware/security_headers.py:295-311):secrets.token_urlsafe(16)request.state.csp_noncefor template access'unsafe-inline'(Alpine.js requirement)HTMX Configuration (
mcpgateway/templates/admin.html:321-327):window.htmxConfig.inlineScriptNoncebefore HTMX bundle loadsHTMX Nonce Application (
mcpgateway/admin_ui/admin.js:15-19):window.htmxConfigand applies tohtmx.config.inlineScriptNonceFiles Modified:
mcpgateway/middleware/security_headers.py- Core CSP with nonce generationmcpgateway/templates/admin.html- HTMX nonce configurationmcpgateway/admin_ui/admin.js- Applied nonce to htmx.config.secrets.baseline- Updated baselineTechnical Notes
HTMX 2.0.3 Compatibility:
'unsafe-hashes''unsafe-hashes'for inline handlersAlpine.js Requirement:
'unsafe-inline'instyle-src(cannot use nonces for styles)Security Trade-offs:
'unsafe-hashes'allows inline event handlers (onclick, etc.) - acceptable for trusted admin UI'unsafe-inline'for styles only - lower risk than scripts'unsafe-eval'- highest priority security improvementPenTest Findings Addressed
✅ unsafe-inline removed from script-src - Replaced with nonce-based whitelisting
✅ unsafe-eval removed entirely - No dynamic code execution allowed
✅ Modern CSP implementation - Follows OWASP best practices