👀 Live Preview
CSP via meta tag allows only the script with a matching nonce:
This page demo uses a fixed nonce. Production sites generate a new value per request.

The nonce attribute holds a one-time token (number used once) on trusted inline <script> and <style> elements. It works together with Content Security Policy (CSP)—not on its own. When your server sends a header like Content-Security-Policy: script-src 'nonce-abc123', the browser runs only inline scripts whose nonce attribute matches that value. Injected attacker scripts without the correct nonce are blocked. This tightens CSP compared to allowing all inline code with 'unsafe-inline'.
Needs policy header.
Inline tags.
Random per page.
nonce = CSP value.
Tighter control.
Read property.
nonce AttributeThe primary purpose of nonce is to let you use a strict CSP that blocks most inline JavaScript and CSS while still allowing specific trusted inline blocks your server placed in the HTML. Cross-site scripting (XSS) attacks often inject new <script> tags; those injected tags will not have the secret nonce value generated for that response, so CSP refuses to execute them.
The server generates a fresh random nonce for every page load, puts the same value in the CSP header (as 'nonce-VALUE') and in the nonce attribute on each allowed inline <script> or <style>. External scripts loaded from allowed origins use script-src https://cdn.example.com instead—they do not need a nonce attribute.
Adding nonce="ABC123" without a matching CSP policy does not improve security. The browser enforces nonces only when CSP includes 'nonce-ABC123' in script-src or style-src.
Server sets CSP header and matching nonce on inline resources:
<!-- HTTP response header (set by server) -->
Content-Security-Policy: script-src 'nonce-r4nd0m'; style-src 'nonce-r4nd0m'
<script nonce="r4nd0m">
initDashboard();
</script>
<style nonce="r4nd0m">
.hero { color: navy; }
</style>
<!-- No nonce — blocked when CSP is strict -->
<script>alert("blocked");</script>'nonce-VALUE' (with quotes in the header).<script>, <style>, and <link> (stylesheet).nonce—they rely on host allowlists.scriptElement.nonce returns the attribute value.The nonce attribute accepts a single token string:
nonce="r4nd0mToken" — Must match 'nonce-r4nd0mToken' in CSP.element.nonce reads the value; avoid writing it from untrusted scripts.// Node.js example — generate per request
const crypto = require("crypto");
const nonce = crypto.randomBytes(16).toString("base64");
res.setHeader(
"Content-Security-Policy",
"script-src 'nonce-" + nonce + "'; style-src 'nonce-" + nonce + "'"
);
// Pass nonce into HTML template for script/style tags| Use case | Markup / header | Notes |
|---|---|---|
| Allow inline script | script-src 'nonce-X' + <script nonce="X"> | Values must match |
| Allow inline style | style-src 'nonce-X' + <style nonce="X"> | Same pattern |
| External script | script-src https://cdn.example.com | No nonce on src scripts |
| Read in JS | document.querySelector("script").nonce | IDL property |
| Meta CSP (demo) | <meta http-equiv="Content-Security-Policy" …> | Prefer HTTP header |
| Block all inline | script-src 'self' (no nonce, no unsafe-inline) | Strictest scripts |
| Element | Supported? | Notes |
|---|---|---|
<script> | Yes | Inline scripts under CSP |
<style> | Yes | Inline CSS under CSP |
<link rel="stylesheet"> | Yes | When stylesheet needs nonce |
<div>, <meta> | No | Not valid for nonce |
nonce vs 'unsafe-inline' vs hash| CSP approach | Allows | Security |
|---|---|---|
'nonce-…' + HTML nonce | Specific inline scripts/styles you tag | Strong (if nonce is secret per response) |
'sha256-…' hash | Exact inline content matching hash | Strong; no per-request randomness |
'unsafe-inline' | All inline scripts/styles | Weak; XSS can inject inline code |
Inline script with CSP, inline style with CSP, and reading script.nonce from server-rendered markup.
CSP via meta tag allows only the script with a matching nonce:
This page demo uses a fixed nonce. Production sites generate a new value per request.
Matching CSP header and script nonce:
<meta http-equiv="Content-Security-Policy"
content="script-src 'nonce-trusted123'">
<script nonce="trusted123">
initApp();
</script>
<script>evil();</script> <!-- blocked -->The browser compares each inline script’s nonce attribute against the 'nonce-…' entries in script-src. Only matching scripts execute. The old reference implied the attribute alone provides security—CSP enforcement is required.
Apply the same pattern to inline CSS:
<meta http-equiv="Content-Security-Policy"
content="style-src 'nonce-style789'">
<style nonce="style789">
.card { border-radius: 8px; }
</style>style-src 'nonce-…' in CSP whitelists specific inline style blocks. This prevents injected <style> tags from applying unless the attacker knows the per-response nonce.
script.nonce in JavaScriptRead the server-provided nonce from the DOM (do not set it client-side for CSP):
<script id="boot" nonce="<%= serverNonce %>">
console.log(document.getElementById("boot").nonce);
</script>Templates inject the same random nonce into the CSP header and HTML attributes. Client code may read element.nonce but should not rely on client-side generation for security enforcement.
onclick="" attributes are blocked by strict CSP and are poor for accessibility; use addEventListener in nonce-approved or external scripts.Random nonce unique to this response.
Header and nonce attributes use same value.
Matching inline scripts/styles run; others blocked.
Injected inline code lacks the secret nonce.
The nonce attribute and CSP nonce source expressions are supported in Chrome 40+, Firefox 31+, Safari 10+, and Edge 15+. CSP itself is widely supported; always send the policy via HTTP response headers in production (meta tags are acceptable for demos only).
Chrome, Firefox, Safari, and Edge enforce nonce matching when Content-Security-Policy is set via headers.
Bottom line: nonce + CSP is supported in all modern browsers. Prefer HTTP headers over meta CSP in production.
<meta http-equiv> for real deployments.'strict-dynamic' change how nonces propagate to dynamically loaded scripts.'unsafe-inline' — Nonces provide tighter control when you must allow some inline resources.The nonce attribute tags trusted inline <script> and <style> elements with a one-time token that must match your Content-Security-Policy. It helps block XSS injection without opening the door to all inline code.
Always pair HTML nonces with a server-generated CSP header, rotate the value every response, and prefer external scripts when possible for simpler, safer deployments.
nonceBookmark these before your next nonce implementation.
Not standalone.
SecurityInline tags.
ScopePer response.
TokenNo matching nonce.
DefenseRead only.
DOM<script> or <style> with a token that must match 'nonce-…' in your Content-Security-Policy for the browser to allow that inline resource.script-src or style-src.element.nonce, but setting it client-side does not satisfy CSP for inline scripts already in the document. Generate nonces server-side.script-src https://cdn.example.com. Nonces apply to inline script and style content.'unsafe-inline' allows all inline scripts (weak). Nonces allow only tagged inline resources (stronger when combined with strict CSP).Practice inline script blocking, style nonces, and reading script.nonce in the Try It editor.
5 people found this page helpful