What Is a Nonce? A Number Used Once
A nonce is a number used once, a value included in a request or message to guarantee it is fresh and cannot be replayed.
A nonce, short for "number used once," is a simple but powerful security primitive. By including a unique, unpredictable value in a request or cryptographic operation, systems ensure that each exchange is fresh and that a captured message cannot be replayed. Nonces show up in authentication protocols, content security policies, and encryption schemes.
The replay problem
If an attacker captures a valid request, they might resend it to repeat an action, like a payment or a login. A nonce defeats this: because each request carries a unique value the server has not seen, a replayed request is recognized and rejected.
Where nonces appear
- Authentication handshakes, to prevent replayed credentials.
- Content Security Policy, to authorize specific inline scripts.
- Encryption modes, where a unique nonce keeps ciphertext unpredictable.
Nonces in encryption
Many encryption modes require a unique nonce per message so that encrypting the same plaintext twice does not produce identical ciphertext. Reusing a nonce in these schemes can catastrophically break the encryption, so uniqueness is non-negotiable.
Nonces in CSP
A Content Security Policy can use a per-response nonce to allow a specific inline script while blocking all others. The server generates a fresh nonce each time and attaches it to the trusted script tag, so injected scripts without the nonce are refused.
Nonces and CI/CD
Web apps you build and deploy may rely on nonces for CSP and replay protection. Generating them correctly (unique, unpredictable, never reused) is part of secure coding, and security tests in CI can verify CSP nonces are applied as expected.
Getting nonces right
A nonce must be unpredictable and genuinely unique for its scope. Predictable or reused nonces undermine the very protection they provide. Use a cryptographically secure random source, never a counter an attacker can guess.
Key takeaways
- A nonce is a unique value that guarantees freshness and prevents replay.
- It is used in authentication, CSP, and encryption modes.
- Nonces must be unpredictable and never reused, or they fail their purpose.