I don't understand why there needs to be a whole competing module when SecKit needs nonce support.

https://www.drupal.org/project/seckit/issues/3245008

SecKit has nearly 72,000 installs, but this comes up when you search 'seckit nonce drupal'. Its confusing for people to pick one or the other, this module isn't clear if it replaces SecKit or not (its not required to install), nor as a user do I understand why I would replace SecKit with this (it says to do that for advanced usage).

I think it would be better to work with those maintainers and add nonce support to a very popular solution for adding CSP to Drupal.

Comments

kevinquillen created an issue.

tdnshah’s picture

tdnshah commented

Hi @kevinquillen,

Thanks for raising this — I understand your concern.

I agree that ideally nonce support should live in SecKit. Before creating this module, I reviewed the existing SecKit issues (including the one you referenced) and saw a few patch attempts, but they didn’t fully address nonce handling in a consistent way or follow a clean implementation approach.

This module takes a slightly different direction. Instead of only generating/exposing a nonce value, it scans the response and programmatically adds a nonce attribute to

tags that don’t already have one. My assumption was that this behavior might be beyond SecKit’s current scope, which primarily focuses on CSP header configuration rather than response processing. That said, I agree having two solutions can be confusing. I’m happy to reach out to the SecKit maintainers to explore whether this approach could be merged or contributed upstream. Appreciate the feedback.