Content Security Policy (CSP)
Quick Reference Guide


Using a nonce with CSP

A nonce is a randomly generated token that should be used only one time.

Example Nonce Usage

Using a nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP script-src directive:

script-src 'nonce-r@nd0m';
NOTE: We are using the phrase: r@nd0m to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request.

Now we can allow an inline <script> tag to execute by adding our random nonce value in the nonce attribute of the script tag:

<script nonce="r@nd0m">
	doWhatever();
</script>

Nonce Browser Support

The nonce source list directive was added to CSP Level 2. This means that support has existed since 2015 in Chrome and Firefox, Safari 10+ or Edge 15+.

It is not supported at all in Internet Explorer, you need to use the Edge browser instead.