A nonce (number used once) is a random token that you add to a Content-Security-Policy header and to the matching inline script or style tag. The browser only executes inline code whose nonce attribute matches the value in the policy, blocking attacker-injected inline scripts.

How long should a CSP nonce be?

The CSP specification recommends at least 128 bits (16 bytes) of entropy. This tool defaults to 16 bytes and lets you go higher. Anything shorter is guessable and undermines the protection.

Can I reuse the same nonce on every page?

No. A nonce must be unique and unpredictable per HTTP response. Reusing a fixed value lets an attacker who learns it inject scripts that pass the policy, which defeats the purpose entirely.

Does this send my nonce to a server?

No. The nonce is generated locally with the Web Crypto API (crypto.getRandomValues) and never leaves your browser. Generate as many as you like offline.

Why base64 instead of hex?

The CSP spec expects a base64-encoded value in the nonce-source. Base64 is also more compact than hex for the same entropy, keeping your header and HTML attribute shorter.

CSP Nonce Generator — Gera Tools

A CSP nonce is a one-time random token that lets you safely allow a specific inline <script> or <style> while a strict Content Security Policy blocks all other inline code. This tool generates a fresh, cryptographically random nonce in your browser and hands you the three pieces you need: the raw value, the policy directive, and the HTML attribute.

How it works

A nonce-based CSP works by tying together two things that must match exactly:

A nonce-<value> source inside your script-src (or style-src) directive in the Content-Security-Policy response header.
A nonce="<value>" attribute on each inline tag you want the browser to run.

The browser only executes an inline tag when its nonce attribute equals a value listed in the policy. Because the value is unguessable and changes every request, an attacker who injects markup cannot supply a matching nonce, so their inline script is refused.

This tool fills a Uint8Array from crypto.getRandomValues() (a CSPRNG) and base64-encodes it. With 16 bytes you get 128 bits of entropy, the spec-recommended minimum. The resulting directive looks like script-src 'nonce-AbC123...' 'strict-dynamic'.

Critical rule: one nonce per response

The whole security model depends on the nonce being unpredictable and unique per HTTP response. Generate it on the server for every request, inject it into both the header and the template, and never cache or hardcode it. A static nonce baked into a build is equivalent to no nonce at all.

Tips

Pair 'nonce-...' with 'strict-dynamic' so scripts loaded by your trusted inline bootstrap are also trusted, letting you drop fragile host allowlists.
Use the same nonce value for every tag within a single response; it is per-response, not per-tag.
Keep 'unsafe-inline' out of the directive — when a nonce is present, modern browsers ignore 'unsafe-inline' anyway, but removing it avoids confusion for older agents.
Everything here runs locally; copy the value into your framework’s per-request nonce mechanism (for example a middleware that sets res.locals.cspNonce).