CSP Nonce
A random value that allows a specific inline script to run despite a strict CSP.
A nonce (“number used once”) is generated per response on the server, embedded in the Content-Security-Policy header as script-src 'nonce-…', and repeated on the matching <script> tag as nonce="…". Only scripts carrying that nonce may execute as inline script. Dynamic frameworks (Next.js middleware, SSR templates) can rotate the value every request so leaked nonces from old pages expire quickly.
Why developers care
Strict script-src without 'unsafe-inline' blocks legacy analytics snippets and framework hydration unless you use nonces or hashes. Nonces are the practical path when inline script content changes per user or request. Hashes work for byte-stable inline blocks only.
Example
Content-Security-Policy: script-src 'self' 'nonce-rAnDm8xK9pQ2'
<script nonce="rAnDm8xK9pQ2">
console.log('This inline script is allowed.');
</script>