- On failure to generate CSP NONCE force Apache to return a 500 error. This shouldn't happen in the real world, but cover the case anyway.
- Explicitly use secure PRNG,
getentropy(), on Linux, FreeBSD, OpenBSD, and macOS. This requires a "modern" kernel (2015 and newer) and updated OS. But if you're using a security library you've already updated your system, right?