What makes this nonce cryptographically secure?

It uses window.crypto.getRandomValues() , which pulls entropy from the operating-system's CSPRNG (e.g., /dev/urandom on Linux). This is the same source used by secure password managers and TLS libraries.

How many bits of entropy does each nonce have?

8 bytes = 64 bits, 16 bytes = 128 bits, 32 bytes = 256 bits. 128 bits (16 bytes) is widely considered sufficient for most security use-cases; 256 bits offers defense-in-depth.

What is the difference between base64 and base64url?

Base64url replaces + with - and / with _ , and omits padding. This makes it safe to embed directly in URLs, JWTs, and HTTP headers without percent-encoding.

Is this nonce sent to your servers?

No. Generation happens entirely in your browser. Nothing is transmitted or stored beyond the current page session.

Can I use this nonce in a Content-Security-Policy header?

Yes. Copy the nonce value and set your header to Content-Security-Policy: script-src 'nonce-YOURVALUE' . You must generate a new nonce for every HTTP response — never reuse a nonce.

Cryptographic Nonce Generator

Name: Cryptographic Nonce Generator
Availability: InStock
Author: Nham Vu

Generate cryptographically secure nonces for CSP headers, OAuth state, API signing, and CSRF prevention — all client-side.

Generator Options

Nonce Length

Output Format

Nonces generated this session: 0

Generated Nonce

hex

Click Generate to create a nonce

Copied!

Summary

Generate cryptographically secure nonces for CSP headers, OAuth state, API signing, and CSRF prevention — all client-side.

How it works

Pick a byte length: 8, 16, or 32 bytes for 64, 128, or 256 bits of entropy.
Choose an output format: hex, base64, or URL-safe base64url.
The tool calls <code>window.crypto.getRandomValues()</code> to draw cryptographically strong random bytes from the OS CSPRNG.
Copy the encoded nonce into your CSP header, OAuth state, or API request. Nothing leaves the browser.

Use cases

Generate a fresh <code>nonce-*</code> value for every HTTP response's <code>Content-Security-Policy</code> header to allow inline scripts safely.
Produce a random <code>state</code> parameter for OAuth 2.0 authorization requests to prevent CSRF attacks on the callback.
Create unique tokens for idempotency keys in distributed API calls so duplicate requests are safely rejected.
Mint one-time tokens for password-reset or email-verification links that expire after first use.

Frequently Asked Questions

Last updated: 2026-07-01 · Reviewed by Nham Vu