Skip to content

Commit

Permalink
Add a note that dynamic is required for the nonce prop (#1685)
Browse files Browse the repository at this point in the history
Co-authored-by: victoria <[email protected]>
Co-authored-by: Alexis Aguilar <[email protected]>
  • Loading branch information
3 people authored Nov 12, 2024
1 parent c914d41 commit df17d02
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
2 changes: 1 addition & 1 deletion docs/components/clerk-provider.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ The `<ClerkProvider>` component must be added to your React entrypoint.
- `nonce?`
- `string`

This nonce value will be passed through to the `@clerk/clerk-js` script tag. You can use this to implement [strict-dynamic CSP](/docs/security/clerk-csp#implementing-a-strict-dynamic-csp).
This nonce value will be passed to the `@clerk/clerk-js` script tag. Use it to implement a [strict-dynamic CSP](/docs/security/clerk-csp#implementing-a-strict-dynamic-csp). Requires the `dynamic` prop to also be set.

---

Expand Down
3 changes: 3 additions & 0 deletions docs/security/clerk-csp.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@ export const config = {

With this `strict-dynamic` configuration in place, **all script tags must be passed with a `nonce` value** or they will be blocked. This can be done by passing the nonce value as a `nonce` parameter to the script tag. For example, `<script src="https://example.com/script.js" nonce="<nonce_value>"></script>`. If you are using Next.js, any scripts loaded through next will automatically have the nonce value injected.

> [!NOTE]
> You must pass the [`dynamic` prop](/docs/components/clerk-provider#properties) to `<ClerkProvider>` for `strict-dynamic` CSPs to work correctly. This is because the nonce value is generated on the server and passed to the client, which requires dynamic rendering.
With the above middleware, the nonce value is made accessible via the `x-nonce` request header. An example is provided below on how to access this value within a Next.js page.

```tsx {{ filename: 'pages/index.tsx' }}
Expand Down

0 comments on commit df17d02

Please sign in to comment.