Skip to content
Pricing RU Sign In
RU

How to Configure Content-Security-Policy with Nonce

By · Updated
TL;DR:

To protect from XSS, configure CSP with nonce: (1) generate nonce each request ($nonce = base64_encode(random_bytes(16))); (2) add to header script-src 'nonce-{$nonce}'; (3) set nonce='{$nonce}' attribute on every inline <script>. No unsafe-inline.

Try it now — free →

Step-by-step guide

  1. Generate nonce in PHP. At template top: $nonce = base64_encode(random_bytes(16));. Must be a new nonce per request.
  2. Add CSP header. In PHP: header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}'; style-src 'self' 'nonce-{$nonce}'; object-src 'none'; base-uri 'self'");
  3. Set nonce on inline scripts. <script nonce="<?= $nonce ?>">console.log('ok');</script>. Without nonce the script will be blocked.
  4. Validate. Use /en/csp Enterno.io checker. Grade A means correct setup.
  5. Run CSP-Report-Only in parallel. For monitoring: Content-Security-Policy-Report-Only: ...; report-uri /csp-report.php. Collect violations before enforcing.

Open tool →

Related guides

Learn more

How-to

Glossary

Frequently Asked Questions

Signup required?

No for quick check. For continuous monitoring — free account.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation