Help
BenReppe
Community Manager
Community Manager

Implementing Nonce Support for Enhanced CSP Security in UCP

Nonce Support for Universal Consent Platform (UCP)

A nonce (short for "number used once") is a unique cryptographic token designed to enhance web security. It plays a critical role in Content Security Policy (CSP) by ensuring that only authorized inline scripts execute, effectively preventing cross-site scripting (XSS) attacks and other code injection vulnerabilities.

Using nonces allows organizations to implement strict CSP policies while permitting trusted inline scripts to run securely. For more information, refer to the MDN Web Docs on Content Security Policies (CSP).

Adding a Nonce Attribute to the Site Notice Tag

The UCP Site Notice Tag supports nonce attributes, enabling compatibility with strict CSP configurations. To add a nonce:

  1. Log in to Privacy.

  2. Navigate to the Site Notices page and click Get Site Notice Tag. 

  3. From the Select Tag Type dropdown, choose Site Notice Tag. 

  4. Check the option Allow Nonce Attribute. 

  5. Copy the script and deploy it on your website.

For further details on deploying a site notice and tag wrapping, refer to the documentation.

Nonce Support for UCP 1.docx.png

Methods for Adding a Nonce

Option 1: Using the Global Property

  • Assign a nonce value to the global property window.__UNIQUE_CSP_NONCE before the UCP Evidon script tag executes.
  • Note: This method is not recommended as it could expose the nonce value, compromising security.

Option 2:  Directly Adding a Nonce to the Site Notice Tag

  • Replace {{UNIQUE_GENERATED_NONCE}} placeholder with a dynamically generated value for each request.

This ensures the nonce is securely applied to all scripts managed by Evidon.

Adding a Nonce with the Evidon GTM Template

If you use Google Tag Manager (GTM) to deploy your scripts, you can configure nonce attributes by following Google's CSP Guidelines for GTM
 

Key Notes for Third-Party Tags

  • Evidon does not manage third-party tags.
  • Ensure the nonce attribute is configured for third-party scripts according to their specific guidelines.

 For additional assistance or questions, reach out to our support team at support@crownpeak.com.

 

Labels (1)
0 Kudos
Rate this article:

Can't find what you are looking for?

Find Answers

Search our DG Forum to find answers to questions asked by other DG users.

Ask a Question

No luck? Ask a question. Our Product and Support teams are monitoring the Forum and typically respond within 48 hours.

Ask a Question

Latest Topics

Report on cookie acceptance rate

DG Forum

Dialog v2

DG Forum

Evidon Race condition with intialization

DG Forum

Translation for Privacy Request Form?

DG Forum

Banner Configuration based on IP/Domain

DG Forum
View all forum posts ≫