getCSPNonce

Last update:

May 18, 2026

Description

The GetCSPNonce function fetches the value of the nonce that will be applied to the Content Security Policy header for a particular request. If the CSP header contains a nonce, any JavaScript executing in the context of that request will need to specify the same nonce. Failure to do so will make the browser consider this block of code as a threat and block it's loading and execution.

ColdFusion supports the following:

getCSPNonce(): Returns the nonce value.
getCSPNonce(boolean returnAsString): Returns the nonce value as a string like 'nonce=<nonce_value>' that can be directly used in a cfheader tag or in a <script> tag.

History

ColdFusion (2025 release): Added the function.

Example

<cfoutput>

<script type="text/javascript" nonce="#GetCSPNonce()#">

    alert("Message")

</script>

</cfoutput>

Using getCSPNonce(boolean returnAsString)

<cfoutput>

<script type="text/javascript" #GetCSPNonce(true)#>

    alert("Message");

</script>

</cfoutput>

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!

getCSPNonce

Description

History

Example

On this page