Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Nonce Generator

25 sites No security coverage
View on drupal.org

This module generates a unique nonce for each request, which can be automatically added to Content Security Policy headers. Developers can then create plugins to output scripts that automatically use these nonces, preventing CSP violations even with cached content.

Nonce Generator

Generates fresh CSP nonces per request and automatically injects them into script-src Content Security Policy headers.

What It Does

This module generates a unique nonce for each HTTP request and automatically adds it to your CSP headers. The module itself doesn't add any scripts — you create plugins to output scripts that use the nonce.

How it works

  • Scripts get fresh nonces on every request via lazy builders
  • No CSP violations even with cached content

Creating a Plugin

Create a plugin class in your module at src/Plugin/NonceScript/MyScript.php:

<?php

namespace Drupal\mymodule\Plugin\NonceScript;

use Drupal\nonce_generator\Plugin\NonceScript\NonceScriptPluginBase;

/**
 * @NonceScript(
 *   id = "my_script",
 *   label = @Translation("My Script")
 * )
 */
class MyScript extends NonceScriptPluginBase {

  public function getScript(string $nonce): string {
    $escaped_nonce = htmlspecialchars($nonce, ENT_QUOTES, 'UTF-8');

    return <<<SCRIPT
<script type="text/javascript" nonce="{$escaped_nonce}">
console.log("Hello from my script!");
// Add more JavaScript here
</script>
SCRIPT;
  }
}

Adding to Templates

Use in render arrays or templates:

// Render a specific plugin
$build['my_script'] = [
  '#type' => 'nonce_script',
  '#plugin_id' => 'my_script',
];

// Render all active plugins
$build['all_scripts'] = [
  '#type' => 'nonce_script',
  '#all_plugins' => TRUE,
];

Activity

Total releases
7
First release
Aug 2025
Latest release
3 months ago
Releases (12 mo)
7 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.0.0-beta6 Pre-release Apr 14, 2026
1.0.0-beta5 Pre-release Sep 5, 2025
1.0.0-beta4 Pre-release Sep 2, 2025
1.0.0-beta3 Pre-release Sep 2, 2025
1.0.0-beta2 Pre-release Aug 16, 2025
1.0.0-beta1 Pre-release Aug 12, 2025
1.x-dev Dev Aug 12, 2025