Content Security Policy (CSP)
Quick Reference Guide


Using a nonce with CSP

A nonce is a randomly generated token that should be used only one time.

What is a nonce?

The word nonce can be defined as a word or phrase that is intended for use only once. If you were a spy, you might come up with a nonce as a code word to authenticate a rendezvous.

The important things to remember for nonces with respect to (CSP) is that we only use our nonce once (for one request), and they should be so random that no one could guess it.

Example Nonce Usage

Using a nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP script-src directive:

script-src 'nonce-r@nd0m';
NOTE: We are using the phrase: r@nd0m to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request.

Now we can allow an inline <script> tag to execute by adding our random nonce value in the nonce attribute of the script tag:

<script nonce="r@nd0m">
	doWhatever();
</script>

Nonce Browser Support

The nonce source list directive was added to CSP Level 2. This means that support has existed since 2015 in Chrome and Firefox, Safari 10+ or Edge 15+.

Nonces are not supported at all in Internet Explorer, you need to use the Edge browser for nonce support instead.