I'm using Angular SSR (@angular/ssr) with the AngularNodeAppEngine for server-side rendering.
I\ve set up a strict Content Security Policy (CSP) that requires using nonces for inline scripts and styles.
I'd like to dynamically generate a CSP nonce on each request and pass it to Angular so that it can be applied to scripts generated by the framework. However, I haven't found a clear way to inject or configure a per-request nonce when using AngularNodeAppEngine.
Is there a supported way to dynamically provide a CSP nonce to Angular when using AngularNodeAppEngine for SSR? If so, how can this be done?
import {AngularNodeAppEngine, createNodeRequestHandler, isMainModule, writeResponseToNodeResponse} from '@angular/ssr/node';
import {join} from 'node:path';
import express from 'express';
const browserDistFolder = join(import.meta.dirname, '../browser');
const app = express();
const angularApp = new AngularNodeAppEngine();
app.use(
express.static(browserDistFolder, {maxAge: '1y', index: false, redirect: false})
);
app.use((req, res, next) => {
angularApp
.handle(req)
.then((response) =>
response ? writeResponseToNodeResponse(response, res) : next()
)
.catch(next);
});
if (isMainModule(import.meta.url) || process.env['pm_id']) {
const port = process.env['PORT'] || 8888;
app.listen(port, (error) => {
if (error) {
throw error;
}
console.log(`Server listening on http://localhost:${port}`);
});
}
export const reqHandler = createNodeRequestHandler(app);
