Yes, you can use custom nonce generators with the spatie/laravel-csp package. The package is designed to be flexible and allows you to specify your own nonce generator class in the configuration.
How to Use a Custom Nonce Generator
1. Create a Custom Nonce Generator Class
Your custom nonce generator must implement the `NonceGenerator` interface provided by the package. For example, if you want to integrate with Laravel Vite's nonce generation, you can create a class like this:
php
namespace App\Support;
use Spatie\Csp\Nonce\NonceGenerator;
use Illuminate\Support\Facades\Vite;
class LaravelViteNonceGenerator implements NonceGenerator
{
public function generate(): string
{
return Vite::cspNonce();
}
}
Alternatively, you can generate your own nonce value and instruct Vite to use it:
php
namespace App\Support;
use Spatie\Csp\Nonce\NonceGenerator;
use Illuminate\Support\Facades\Vite;
class RandomString implements NonceGenerator
{
public function generate(): string
{
$myNonce = ''; // Generate your nonce here
Vite::useCspNonce($myNonce);
return $myNonce;
}
}
2. Configure the Package to Use Your Custom Nonce Generator
After creating your custom nonce generator, specify its fully qualified class name in the `nonce_generator` key of the `config/csp.php` configuration file:
php
'nonce_generator' => App\Support\LaravelViteNonceGenerator::class,
3. Enable Nonce Handling
Ensure that nonce handling is enabled in the config:
php
'nonce_enabled' => env('CSP_NONCE_ENABLED', true),
Additional Notes
- The package automatically handles nonce generation and insertion into CSP headers and inline script/style tags if you use the `csp_nonce()` helper in your Blade templates.
- Integration with Laravel Vite is explicitly supported, allowing seamless nonce management during asset compilation.
- If you want to disable nonce generation (for example, if you opt for `'unsafe-inline'` scripts), set `'nonce_enabled'` to `false`, but this reduces security.
- The package also supports outputting CSP policies as meta tags if needed.
This approach provides a robust and customizable way to manage CSP nonces in Laravel applications using spatie/laravel-csp, ensuring you can tailor nonce generation to your specific setup or tooling[1][2][3].
Citations:
[1] https://github.com/spatie/laravel-csp
[2] https://laravel-news.com/package/spatie-laravel-csp
[3] https://stackoverflow.com/questions/79065219/add-csp-nonce-in-script-tag
[4] https://github.com/spatie/laravel-csp/discussions/101
[5] https://www.stackhawk.com/blog/laravel-content-security-policy-guide-what-it-is-and-how-to-enable-it/
[6] https://stackoverflow.com/questions/78864184/enable-nonce-to-laravel-official-packages
[7] https://laravel-news.com/laravel-content-security-policies
[8] https://christoph-rumpel.com/2018/03/laravel-response-caching-and-csp