<p>I know the nonce will work in principle - the question is whether there is a good way for use to use one that doesn't negate the purpose. We almost certainly can't just commit the nonce in this repository for example as that would defeat the whole purpose.</p>
<p>So at the very least it probably needs to be a configuration option that can be set from chef. Even then I'm not sure that it helps much given a bad actor can just access the source and copy the nonce.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374252892">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLQd8dBp2FRMe6L41tC8c-KH0kSUIks5tf85pgaJpZM4Sdsny">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABWnLeqyrGuG2ta1Wp4qxSBVCwkGZzU6ks5tf85pgaJpZM4Sdsny.gif" height="1" width="1" alt="" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374252892"></link>
  <meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@tomhughes in #1779: I know the nonce will work in principle - the question is whether there is a good way for use to use one that doesn't negate the purpose. We almost certainly can't just commit the nonce in this repository for example as that would defeat the whole purpose.\r\n\r\nSo at the very least it probably needs to be a configuration option that can be set from chef. Even then I'm not sure that it helps much given a bad actor can just access the source and copy the nonce."}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374252892"}}}</script>