Skip to content

Commit

Permalink
add a note that dynamic is required for the nonce prop
Browse files Browse the repository at this point in the history
  • Loading branch information
jescalan committed Nov 7, 2024
1 parent 78952ae commit 0dc1b1a
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
2 changes: 1 addition & 1 deletion docs/components/clerk-provider.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ The `<ClerkProvider>` component must be added to your React entrypoint.
- `nonce?`
- `string`

This nonce value will be passed through to the `@clerk/clerk-js` script tag. You can use this to implement [strict-dynamic CSP](/docs/security/clerk-csp#implementing-a-strict-dynamic-csp).
This nonce value will be passed through to the `@clerk/clerk-js` script tag. You can use this to implement [strict-dynamic CSP](/docs/security/clerk-csp#implementing-a-strict-dynamic-csp). Note that the `dynamic` prop is also required on `ClerkProvider` in order for `nonce` to work.

---

Expand Down
3 changes: 3 additions & 0 deletions docs/security/clerk-csp.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@ export const config = {

With this `strict-dynamic` configuration in place, **all script tags must be passed with a `nonce` value** or they will be blocked. This can be done by passing the nonce value as a `nonce` parameter to the script tag. For example, `<script src="https://example.com/script.js" nonce="<nonce_value>"></script>`. If you are using Next.js, any scripts loaded through next will automatically have the nonce value injected.

> [!NOTE]
> You must pass the [`dynamic` prop](/docs/components/clerk-provider#properties) to `<ClerkProvider>` in order for `strict-dynamic` CSPs to work correctly. This is because the nonce value is generated on the server and passed to the client, which requires dynamic rendering.
With the above middleware, the nonce value is made accessible via the `x-nonce` request header. An example is provided below on how to access this value within a Next.js page.

```tsx {{ filename: 'pages/index.tsx' }}
Expand Down

0 comments on commit 0dc1b1a

Please sign in to comment.