This project is not covered by Drupal’s security advisory policy.

Introduction

SecKit CSP Nonce automatically adds Content Security Policy (CSP) nonce attributes to all inline JavaScript on your Drupal site, enabling you to enforce strict CSP policies without blocking legitimate scripts.
The Problem: Modern web security requires Content Security Policy headers to prevent Cross-Site Scripting (XSS) attacks. However, CSP blocks all inline JavaScript by default. While you can use 'unsafe-inline' to allow inline scripts, this defeats the entire purpose of CSP by allowing both legitimate scripts AND malicious injected code.
The Solution: This module automatically generates unique, cryptographically random nonce (number used once) values for each page request and adds them to all inline

tags. The nonce is also included in your site's CSP header, allowing legitimate inline scripts to execute while blocking any injected malicious code.

This module is perfect for site administrators who want to:

  • Improve security with strict CSP policies
  • Pass security audits and CSP evaluators
  • Support Google Tag Manager without unsafe-inline
  • Eliminate CSP violations in browser console
  • Comply with modern security best practices
No coding required - just install, configure, and your site becomes more secure!

Features

Core Functionality

  • Automatic Nonce Generation
  • Multiple Operation Modes
  • Comprehensive Script Coverage
    • Unlike other solutions, this module catches inline scripts from:
    • Drupal core and contrib modules
    • Theme templates (Twig files)
    • Raw markup and #markup render elements
    • Google Tag Manager container scripts
    • Third-party integrations and widgets
    • Custom inline JavaScript anywhere on the page
  • SecKit Integration (Optional)
  • Merge with SecKit: Adds nonce to SecKit's existing CSP policy (recommended)
  • Override SecKit: Replaces SecKit's CSP entirely (advanced usage)
  • Google Tag Manager Support
  • Advanced Configuration
  • Zero Code Changes Required
  • Production-Ready

When to Use This Module

Use this module when you need to: Enforce strict Content Security Policy on your site Pass security audits that flag unsafe-inline usage Use Google Tag Manager with proper CSP Eliminate "Refused to execute inline script" console errors Comply with security requirements for government, healthcare, or enterprise sites Support third-party scripts while maintaining security Improve your site's security rating on tools like Mozilla Observatory

Post-Installation

Will be updated soon.
Supporting organizations: 
Vardot
Sponsored the module development

Project information

Releases

1.0.0 released 14 May 2026
Works with Drupal: ^9 || ^10 || ^11
Install:

Development version: 1.0.x-dev updated 14 May 2026 at 12:53 UTC

Using Composer to manage Drupal site dependencies