…...nonce

Valid on the elements <script> and <style>, the nonce (number used once) attribute whitelists/permits certain inline scripts / styles in a script-src / script-style Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy.

To use a nonce:

1. For every relevant request, have your backend generate a random base64-encoded string (at least 128 bits) from a cryptographically secure random number generator; e.g., EDNnf03nceIOfn39fn3e9h3sdfa
That's your nonce.

2. For any inline script/style you want to “whitelist”, make your backend code insert a nonce attribute before it's sent, eg.:<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">...</script>

3. Prepend your nonce with 'nonce-' and make your backend generate a CSP header with that among the values of the source list for script-src or style-src:
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

<!DOCTYPE html>
<html><head>
   <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'"/>
</head><body>
   <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
      alert("It works!");
   </script>
</body></html>

…...referrerpolicy	<<<	HOME PAGE	>>>	Content Security Policy
last update: 16 Jun 2024

MENU

…...nonce