How to generate a nonce with Mod unique id for Content Security Police?

Question

How to generate a nonce with Mod unique id for Content Security Police?

I'm trying to generate a nonce for the CSP, I have already enabled Apache mod unique_id, and in .htaccess it is already generating correctly.

Header set Content-Security-Policy-Report-Only style-src 'self' 'nonce-%{UNIQUE_ID}e';

In the inspector you can see that it is working, since the report includes nonce:

[Report only] Refused to apply inline style because it violates the following content Security Policy directive: "style-src 'self' 'nonce-XTDMkn8AAQPQHTAzOZ6cAAAAE'". Either the 'unsafe-inline' keyword, a hash ('sha256-1aqplm6ug6vs34tx89vhclrgwo6n/fPxZgDY7CS2PT4='), or a nonce ('nonce-...') is required to enable inline execution.

The problem is that when I use the variable $_SERVER ['UNIQUE_ID'] in HTML it generates another key. HTML has dynamic elements that change according to PHP variables:

$var = $var1 * $var2; // $var1 e $var2 sempre mudam

$myUniqId = $_SERVER ['UNIQUE_ID'];

<div class="star_bar" nonce="' . $myUniqId . '" style="width:' . $var . 'px;">

Looking at the source you can see that the unique id is being generated in HTML, but it is different from what is generated in htaccess (which appears in the report of the message above).

1

php apache segurança http-headers

Author: gustavox, 2019-07-18

Source