Is it possible to use hashes for CSP ?

[WolfgangSn]

I would like to use content security policy ( CSP ).
So I enabled security in sftpgo.json and used google chrome to identify the correct sha256 hashes to be used for the content_security_policy variable.
This looked promissing until /web/admin/users was parsed ...
The users page contains the X-CSRF-TOKEN in one of the javascript inline functions.
As this token changes with the requests also the sha256 hash changes with every request/session.

How to deal with this ? Is the only possibility to set this to unsafe-inline then ? Or would it be possible to have a fix for this to have this part of the javascript in a separate file and not as inline script ?

best regards,
WolfgangSn

[DevolveZA]

Hi @WolfgangSn,

I was having the same issue. Managed to solve it by using the following CSP:
default-src 'self'; script-src $NONCE;img-src 'self' data:; style-src 'self' $NONCE