← back to examples

script-src nonce

CSP is active on both pages. The script is only allowed when it carries a nonce attribute that matches the value in the response header — a random token generated fresh on every request.

Response header (same on both pages)
Content-Security-Policy: script-src 'self' 'nonce-ZjpbJPnaXHp3002C0WWAog=='
Inline script in page source
<script nonce="ZjpbJPnaXHp3002C0WWAog==">markScriptRan();</script>
Result
( ._.)