This is a comment on CSP nonce, posted by WikiAdmin at 07/05/2026 22:54
View source for Comment 9
**Here is the full function in the requested style (Allman braces + snake_case):**
%%(hl php)
/**
* Determine whether a CSP nonce should be generated for the current request.
*
* @return bool
*/
public function should_use_csp_nonce()
{
if (!$this->db->csp)
{
return false;
}
// Force nonce for logged-in users and pages that called no_cache()
if (isset($this->sess->user_profile) || $this->no_cache)
{
return true;
}
// Add other conditions here if needed in the future
// (e.g. specific actions, POST requests, etc.)
return false;
}
%%
==== Usage example in context: ====
%%(hl php)
public function get_csp_nonce()
{
if ($this->csp_nonce === null)
{
if ($this->should_use_csp_nonce())
{
$nonce = $this->generate_csp_nonce();
$this->csp_nonce = $nonce;
}
else
{
$this->csp_nonce = '';
}
}
return $this->csp_nonce;
}
public function get_csp_nonce_attribute()
{
$nonce = $this->get_csp_nonce();
return ($nonce !== '') ? ' nonce="' . $nonce . '"' : '';
}
%%
This keeps the logic clean, readable, and easy to extend. Let me know if you want the full updated ##http_security_headers()## method as well.