CSP nonce not used by CF in inline script

What is the name of the domain?

https://www.cwsparkinson.co.uk

What is the error message?

Refused to execute inline script because it violates the following Content Security Policy directive

What is the issue you’re encountering

Cloudflare is injecting inline JS code into the site as part of BotFightMode but is not adding the nonce to the tag (even though one exists in the CSP header).

What steps have you taken to resolve the issue?

I have followed the documentation: JavaScript detections | Cloudflare bot solutions docs here
which says to add a nonce to the CSP.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

What are the steps to reproduce the issue?

Go to the website
Open developer tools (F12)
Note “Refused to execute inline script” error in console

Screenshot of the error

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.