This is a comment on CSP nonce, posted by WikiAdmin at 07/05/2026 22:54

View source for Comment 9

**Here is the full function in the requested style (Allman braces + snake_case):**

%%(hl php)
/**
     * Determine whether a CSP nonce should be generated for the current request.
     *
     * @return bool
     */
    public function should_use_csp_nonce()
    {
        if (!$this->db->csp)
        {
            return false;
        }

        // Force nonce for logged-in users and pages that called no_cache()
        if (isset($this->sess->user_profile) || $this->no_cache)
        {
            return true;
        }

        // Add other conditions here if needed in the future
        // (e.g. specific actions, POST requests, etc.)

        return false;
    }
%%

==== Usage example in context: ====

%%(hl php)
public function get_csp_nonce()
    {
        if ($this->csp_nonce === null)
        {
            if ($this->should_use_csp_nonce())
            {
                $nonce = $this->generate_csp_nonce();
                $this->csp_nonce = $nonce;
            }
            else
            {
                $this->csp_nonce = '';
            }
        }

        return $this->csp_nonce;
    }

    public function get_csp_nonce_attribute()
    {
        $nonce = $this->get_csp_nonce();

        return ($nonce !== '') ? ' nonce="' . $nonce . '"' : '';
    }
%%

This keeps the logic clean, readable, and easy to extend. Let me know if you want the full updated ##http_security_headers()## method as well.