HTML nonce Attribute (original) (raw)

Last Updated : 30 Aug, 2024

The **HTML nonce attribute is a global content attribute that defines a cryptographic nonce(" **number used once "). It is used by Content Security Policy(it is an additional layer of security that helps to detect and mitigate certain types of attacks like data injection attacks) to check whether a given fetch will be allowed to proceed for a given element or not. Generally, the attribute nonce specifies the way by which the browser is told that inline contents of some style element or specific/particular script were not injected into the document by third parties and were put in the document intentionally by whoever controls the server from where the document is served.

It allows the list of specific elements such as some specific inline script or style elements. It helps to avoid the use of the CSP unsafe-inline directive that would allow-list all inline styles.

**Usage of nonce attribute

For using none, provide the script tag a nonce attribute. The value of the nonce attribute must match one in the list of trusted sources.

**Example: In this example we showcases the nonce attribute, enhancing security by allowing only styles and scripts with matching nonce values to execute.

HTML `

Welcome to My Website

`

Now this nonce needs to be added to our script-src directive appended to the nonce- keyword.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

**Supported Browsers:

• Google Chrome
• Edge
• Firefox
• Opera
• Safari