Skip to content

Commit 56e51a7

Browse files
instificationinstification
committed
Update readme
1 parent 7c84919 commit 56e51a7

File tree

1 file changed

+48
-0
lines changed

1 file changed

+48
-0
lines changed

README.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,29 @@ Add the following lines to your `package.json`:
2020

2121
and run `yarn build`
2222

23+
### Required Server Configuration
24+
25+
This addon requires a small modification to your customized `server.jsx` file to properly inject the CSP nonce into the Redux store.
26+
27+
After creating the Redux store in your route handler, add the following lines:
28+
29+
```javascript
30+
// Create a new Redux store instance
31+
const store = configureStore(initialState, history, api);
32+
33+
persistAuthToken(store, req);
34+
35+
// Set CSP nonce and header (from volto-csp addon)
36+
const { setCspHeader } = require('@plone-collective/volto-csp/middleware');
37+
const readCriticalCss =
38+
config.settings.serverConfig.readCriticalCss || defaultReadCriticalCss;
39+
setCspHeader(req, res, store, readCriticalCss(req));
40+
```
41+
42+
**Why is this needed?**
43+
44+
The addon uses express middleware to generate a unique nonce for each request, but the nonce must be added to the Redux store *after* the store is created in the route handler. This ensures the nonce is available to the `Html` component during server-side rendering.
45+
2346
## Basic Usage
2447

2548
This addon is enabled by setting one or more of the `RAZZLE_CSP_...` headers.
@@ -52,6 +75,31 @@ Volto includes a number of inline scripts. Good practice is to not use the `unsa
5275

5376
If `RAZZLE_CSP_DEFAULT_SRC` is set and no value for `RAZZLE_CSP_SCRIPT_SRC` is set. Then the addon will add the `script-src` directive as a duplicate of the `default-src` with the hashed inline scripts added.
5477

78+
## Nonce Support
79+
80+
This addon automatically generates a unique cryptographic nonce for each request and includes it in the CSP header. The nonce is available through:
81+
82+
### Redux Store
83+
84+
The nonce is added to the Redux store via the `SET_CSP_NONCE` action and can be accessed at `state.csp.nonce`. This allows components to access the nonce during server-side rendering.
85+
86+
### Environment Variable
87+
88+
To enable nonce attributes on script and style tags, set:
89+
90+
```
91+
RAZZLE_CSP_SET_NONCE=true
92+
```
93+
94+
When enabled, the nonce will be:
95+
- Automatically added to the CSP header as `'nonce-<value>'`
96+
- Available via `window.__webpack_nonce__` for webpack's style-loader
97+
- Included in script and style tags during server-side rendering
98+
99+
### Development Mode Support
100+
101+
In development mode, this addon includes a patched version of webpack's style-loader runtime that properly reads the nonce from `window.__webpack_nonce__`, ensuring dynamically injected `<style>` tags include the nonce attribute.
102+
55103
## Critical CSS
56104

57105
Volto allows you to automatically include [critical css](https://2022.training.plone.org/effective-volto/development/criticalCSS.html) as inline styles.

0 commit comments

Comments
 (0)