How to use nonce in CSP

Question

I've been reading the CSP documentation regarding using inline scripts with nonce (Number used only once), but I still don't get it fully.

• May I use the same nonce to different inline scripts? That is, may I do this?

HTTP layer:

Content-Security-Policy: script-src 'nonce-2726c7f26c'

Javascript inlined in HTML

<script nonce="2726c7f26c">
  var inline = 1;
</script>
<script nonce="2726c7f26c">
  var inline2 = 2;
</script>

• can you recommend me any node.js function to generate such nonces? Shall I use the require('crypto')?

Answer 1

My solution was correct

We create one nonce per HTTP request, we should not create one per script. So, my initial solution was correct. The CSP rules go into the HTTP layer, and thus one nonce per HTTP request.