@chongfai13 you should be able to add those values directly into your config. There's also an automated tool for dynamically applying specific hashes but I'm not sure anyone uses it https://github.com/github/secure_headers/blob/master/docs/hashes.md

Hi Oreoshake

Thanks for your reply, we have followed the instructions but unfortunately it’s not working. Can you advise or perhaps show me the steps?
Thanks

@chongfai13 Can you provide more details about what is not working? Did the rake task execute? Are the hashes being generated (config/secure_headers_generated_hashes.yml)? Are the hashes being included in the header? Are the hashes wrong?

Hi Oreshake, yes, the file config/secure_headers_generated_hashes.yml is generated with the content:

(three dashes)
scripts: {}
styles: {}

and these hashes not included in the header. Please help

And you have raw <script> "javascript_goes_here" </script> tags in your views? It uses a regular expression to try and find script tags but I wouldn't call it well tested.

Hi Oreoshake, sorry for late reply, you may see my source code here: https://github.com/chongfai13/secure_headers

I have successfully made the hashes, question: How do I set it at the headers?

I wish to create like this:
Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Hi @chongfai13 it looks like that test repo is enough for to me to look into this, thanks for putting that together. Unfortunately, I'm very busy so it may be some time before I can get to it. I've set a reminder so I (hopefully) won't forget.