CSP Nonce Workflow

Generate a sample nonce + paste-ready header and see minimal server-side patterns (Express, nginx, Apache). Client-side helper; keep nonces per-response.

home · tools · csp builder · csp hash

1) Nonce generator (demo)

Use this to sanity-check formatting. In production, generate a fresh nonce per HTTP response and inject it into both the CSP header and matching nonce attributes.

Minimum good baseline included: default-src 'self', object-src 'none', base-uri 'self', frame-ancestors 'none'.

2) Server-side patterns (copy/paste)

Pick your stack and replace ${NONCE} with your per-response nonce.

Rules of thumb

`, ``, ``, ``, ].join('\n'); $('express').value = [ `import crypto from 'crypto';`, ``, `app.use((req, res, next) => {`, ` const nonce = crypto.randomBytes(24).toString('base64');`, ` res.locals.nonce = nonce;`, ` res.setHeader('Content-Security-Policy',`, ` "default-src 'self'; " +`, ` "script-src 'self' 'nonce-" + nonce + "'; " +`, ` "style-src 'self' 'nonce-" + nonce + "'; " +`, ` "object-src 'none'; base-uri 'self'; frame-ancestors 'none'; upgrade-insecure-requests"`, ` );`, ` next();`, `});`, ``, `// In templates: