Skip to content
Related Articles
Get the best out of our app
Open App

Related Articles

HTML nonce Attribute

Improve Article
Save Article
Like Article
Improve Article
Save Article
Like Article

The HTML nonce attribute is a global content attribute that defines a cryptographic nonce(” number used once “). It is used by Content Security Policy(it is an additional layer of security that helps to detect and mitigate certain types of attacks like data injection attacks) to check whether a given fetch will be allowed to proceed for a given element or not. Generally, the attribute nonce specifies the way by which the browser is told that inline contents of some style element or specific/particular script were not injected into the document by third parties and were put in the document intentionally by whomsoever controls the server from where the document is served.

It allows the list of specific elements such as some specific inline script or style elements. It helps to avoid the use of the CSP unsafe-inline directive that would allow-list all inline styles.

Usage of nonce attribute 

For using none, provide the script tag a nonce attribute. The value of the nonce attribute must match one in the list of trusted sources. 

Example :


<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
    // Some inline code that I can't remove yet, but needed

Now this nonce needs to be added to our script-src directive appended to the nonce- keyword.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

Supported Browsers:

  • Google Chrome 
  • Firefox 31.0 and above
  • Microsoft Edge 
  • Opera 
  • Safari 
My Personal Notes arrow_drop_up
Last Updated : 06 Jun, 2022
Like Article
Save Article
Similar Reads
Related Tutorials