To install, add the following to your project :dependencies:

(require '[ring-middleware-csp.core :refer [wrap-csp]]
         '[ring.util.response :refer [response]])

(defn handler [request]
  (response {:foo "bar"}))

(def policy {:default-src :none
             :script-src [:self :nonce]
             :style-src ["https://example.com" :unsafe-inline]
             :report-uri "/csp-report"})

(def app
  (-> handler
      (wrap-csp {:policy policy})

Then, Content-Security-Policy header is added to http response.

Use nonce

wrap-csp middleware inject :csp-nonce to request map. You can use nonce like following.

(defn handler [{:keys [csp-nonce] :as req}]
  {:status 200
   :headers {}
   :body (str "<script nonce=\"" csp-nonce "\">alert('foo');</script>")})

If you want to disable injection, set :use-nonce? option to false.

Get header value from policy map

You can use compose function.

(ring-middleware-csp.core/compose {:default-src :none
                                   :style-src ["https://example.com" :unsafe-inline]
                                   :report-uri "/csp-report"})
=> "default-src 'none';style-src https://example.com 'unsafe-inline';report-uri /csp-report"

; with nonce
(ring-middleware-csp.core/compose {:default-src :none
                                   :style-src [:nonce :unsafe-inline]}

=> "default-src 'none';style-src 'nonce-abcdefg' 'unsafe-inline'"



Specify Content-Security-Policy value. The key of map is the directive name, the value of map is the directive value. Values are keyword, string or collection of them.


{:policy {:default-src :none
          :script-src [:self :nonce]
          :style-src ["https://example.com" :unsafe-inline]
          :report-uri "/csp-report"}}


If :report-only? is set to true, use "Content-Security-Policy-Report-Only" as header name.


By setting a function in :policy-generator, you can set a dynamic policy according to the request. The argument of the function is ring request map, the return value of it is policy map (same style as :policy). If the function returns nil, use default policy.

:report-handler and :report-uri

By using :report-handler, you can handle report request. :report-uri is the path to use report-handler. :report-handler is ring-style report handler (you must return valid response map). If use :report-handler or :report-uri, must set both :report-handler and :report-uri.

WARN: :report-uri option and :report-uri directive in :policy is independent config. Even if you set :report-uri option, the report-uri directive is NOT added automatically.


{:policy {:default-src :self
          :report-uri "/csp-report"}
 :report-uri "/csp-report"
 :report-handler (fn [req]
                   (response {:foo "bar"}))}


The default value is ture. If you set to false, disable to generate nonce.


By using :nonce-generator, you can use costom nonce generator. Default generator use SecureRandom (using "NativePRNGNonBlocking" algorithm) and java.util.Base64. It generate base64 string from 256bit random data.


{:policy {:default-src :self
          :script-src [:self :nonce]}
 :nonce-generator (fn []
                    "STATIC-NONCE")} ; DON'T use static nonce for security reason


lein test


Use cljstyle.

cljstyle fix


