Google Tag Manager and CSP: how to add nonce in response for reactive and mobile

Question

We are using Google Tag Manager in combination with Content Security Policy (CSP).
The problem is that the scripts added by GTM are being blocked. According to the GTM documentation, using a nonce is the best practice solution to using Tag Manager with a Content Security Policy.

A nonce is a randomly generated, non guessable value generated by the server and added to the Content-Security-Policy response header, like so:

Content-Security-Policy: script-src 'nonce-{SERVER-GENERATED-NONCE}'; img-src www.googletagmanager.com

Every request should generate a new, random, nonce value.
How can this be done in OutSystems (reactive and mobile)? We can't seem to find a way to have the server add this nonce-value to the response header for each reactive or mobile page request.

We know there is also the 'unsafe-inline' option, but we want to avoid using that, as it is unsafe, as the name already implies.

16 Oct

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines