I am building a laravel 11 app and using custom CSP middleware for the project. I have create ContentSecurityPolicy.php in app/http/middleware folder and it contains this code: `

namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\View;

 class ContentSecurityPolicy
{
 public function handle(Request $request, Closure $next)
 {
    // Generate a secure nonce
    $nonce = base64_encode(random_bytes(16));
    $isLocal = $request->getHost() === '[::1]';
  
    $csp = "base-uri 'self'; "
        . "script-src 'self' 'nonce-{$nonce}'". ($isLocal ? "http://[::1]:5173/ " : "") ." / / / "
        . "/ / / / "
        . "/ / / / "
        . "/ / / / "
        . "/ / / "
        . "/ / / "
        . "/ / / "
        . "/ / / "
        . "/ / / "
        . "/; "
        . "style-src 'self' 'unsafe-inline' ". ($isLocal ? "http://[::1]:5173/ " : "") ." / / / / "
        . "/ / / "
        . "/ / / "
        . "/ / / "
        . "/; "
        . "object-src 'none'; frame-ancestors 'none';";

    // Process request
    $response = $next($request);

    // Set CSP header properly
    $response->headers->set('Content-Security-Policy', $csp);

    // Share nonce with views (for inline scripts)
    view()->share('nonce', $nonce);

    return $response;
}
}

`

And i registered the middleware in bootstrap/app.php (alternative for kernel.php in laravel 11) like this: `

 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
 use App\Http\Middleware\ContentSecurityPolicy;

 return Application::configure(basePath: dirname(__DIR__))
->withRouting(
    web: __DIR__ . '/../routes/web.php',
    commands: __DIR__ . '/../routes/console.php',
    health: '/up',
)
->withMiddleware(function (Middleware $middleware) {
    $middleware->prepend(ContentSecurityPolicy::class);
})
->withExceptions(function (Exceptions $exceptions) {
    //
})->create();

`

but if use $nonce in inline scripts:

<script nonce="{{$nonce}}"></script>

I am building a laravel 11 app and using custom CSP middleware for the project. I have create ContentSecurityPolicy.php in app/http/middleware folder and it contains this code: `

namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\View;

 class ContentSecurityPolicy
{
 public function handle(Request $request, Closure $next)
 {
    // Generate a secure nonce
    $nonce = base64_encode(random_bytes(16));
    $isLocal = $request->getHost() === '[::1]';
  
    $csp = "base-uri 'self'; "
        . "script-src 'self' 'nonce-{$nonce}'". ($isLocal ? "http://[::1]:5173/ " : "") ." https://fonts.bunny/ https://reetahoo/ https://pagead2.googlesyndication/ "
        . "https://goatauthut.xyz/ https://itweepinbelltor/ https://dicouksa/ https://goomaphy/ "
        . "https://veepteero/ https://pertawee/ https://shoordaird/ https://soathoth/ "
        . "https://thubanoa/ https://alwingulla/ https://tzegilo/ https://whaickossu/ "
        . "https://www.google/recaptcha/ https://widget.trustpilot/ https://cdn.datatables/ "
        . "https://coding-nonny.github.io/ https://api.countrystatecity.in/ https://ip-api/ "
        . "https://api.coinpaprika/ https://cdn.jsdelivr/ https://js.paystack.co/ "
        . "https://www.smartsuppchat/ https://widget-v3.smartsuppcdn/ http://translate.google/ "
        . "https://www.gstatic/ https://translate-pa.googleapis/ https://ipwhois.app/ "
        . "https://boupeeli/; "
        . "style-src 'self' 'unsafe-inline' ". ($isLocal ? "http://[::1]:5173/ " : "") ." https://fonts.bunny/ https://cdnjs.cloudflare/ https://boupeeli/ https://goatauthut.xyz/ "
        . "https://fonts.googleapis/ https://coding-nonny.github.io/ https://cdn.datatables/ "
        . "https://cdn.jsdelivr/ https://www.smartsuppchat/ https://widget-v3.smartsuppcdn/ "
        . "http://translate.google/ https://rertessesse.xyz/ https://www.gstatic/ "
        . "https://translate-pa.googleapis/; "
        . "object-src 'none'; frame-ancestors 'none';";

    // Process request
    $response = $next($request);

    // Set CSP header properly
    $response->headers->set('Content-Security-Policy', $csp);

    // Share nonce with views (for inline scripts)
    view()->share('nonce', $nonce);

    return $response;
}
}

`

And i registered the middleware in bootstrap/app.php (alternative for kernel.php in laravel 11) like this: `

 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
 use App\Http\Middleware\ContentSecurityPolicy;

 return Application::configure(basePath: dirname(__DIR__))
->withRouting(
    web: __DIR__ . '/../routes/web.php',
    commands: __DIR__ . '/../routes/console.php',
    health: '/up',
)
->withMiddleware(function (Middleware $middleware) {
    $middleware->prepend(ContentSecurityPolicy::class);
})
->withExceptions(function (Exceptions $exceptions) {
    //
})->create();

`

but if use $nonce in inline scripts:

<script nonce="{{$nonce}}"></script>

i get this error: "Undefined variable $nonce". How can i solve it?

• php
• laravel-11

1 Answer 1

Okay I have found the solution. All i needed to do is to move this line

`

 view()->share("nonce",$nonce);

`

before

`

$response = $next($request);

`

Everything will stark working as expected.