広告が嫌いですか? 行く広告なし今日 

Cryptographic Nonce Generator

開発者

広告・取り除く？

入力

自動処理

出力

クライアント側

Generated Nonce(s)

Usage Examples

CSP Header

HTML Script Tag

OAuth State Parameter

CSRF Token

Session ID Cookie

What is a Nonce?

広告・取り除く？

ガイド

Cryptographic Nonce Generator

Generate cryptographically secure nonces (numbers used once) for CSP headers, OAuth state parameters, CSRF tokens, session IDs, and more. Uses crypto.getRandomValues() for true randomness — no Math.random() fallback. Output in hex, Base64, Base64url, or decimal array format. Everything runs in your browser; nothing is sent to any server.

使い方

Select a byte length (8, 16, 24, 32, or 64 bytes, or enter a custom length), choose your output format (hex, Base64, Base64url, or decimal array), and set how many nonces to generate. Values generate automatically as you change settings. Copy individual nonces or use the pre-formatted usage examples that auto-populate with your generated nonce for CSP headers, HTML script tags, OAuth state parameters, CSRF tokens, and session cookies.

特徴

Cryptographic Randomness — Uses crypto.getRandomValues() exclusively. No Math.random() fallback. Produces cryptographically secure random bytes from the OS entropy source.
複数の出力形式 — Hex (lowercase), Base64 (standard), Base64url (URL-safe, no padding), and decimal byte array. Each format suited for different use cases.
Configurable Byte Length — Preset lengths (8, 16, 24, 32, 64 bytes) or custom. Entropy display shows bits of randomness (bytes × 8).
バルク生成 — Generate up to 100 nonces at once, each with individual copy button.
Usage Examples — Pre-formatted code snippets auto-populated with your nonce: CSP header, HTML script nonce attribute, OAuth state parameter, CSRF hidden input, and session cookie.
Entropy Display — Shows bits of entropy for the configured byte length so you can verify your nonce meets security requirements.
100% クライアントサイド — Nothing leaves your browser. No server requests, no logging. Your nonces stay private.

What is a Nonce?

A nonce (“number used once”) is a random value that should only be used a single time. In cryptography and web security, nonces prevent replay attacks, cross-site scripting (XSS), and request forgery. The key requirement is unpredictability — an attacker must not be able to guess the nonce value, which is why cryptographic randomness (not pseudo-random) is essential.

広告・取り除く？

What is the difference between a nonce and a random token?

A nonce is specifically a “number used once” — it must be unique for each use and should never be reused. A random token is a broader term for any random value used for authentication or identification. In practice, cryptographic nonces are random tokens with the additional constraint of single use. CSP nonces must be regenerated on every page load. OAuth state parameters must be unique per authorization request. CSRF tokens should be unique per session or per request. The generation method is the same (cryptographic randomness), but the usage pattern differs.

Why not use Math.random() for nonces?

Math.random() uses a pseudo-random number generator (PRNG) that is NOT cryptographically secure. Its output is deterministic — if an attacker knows the internal state, they can predict future values. Modern browsers use xorshift128+ or similar algorithms for Math.random(), which are fast but predictable. crypto.getRandomValues() uses the operating system’s cryptographic random number generator (CSPRNG), which draws entropy from hardware events, making its output unpredictable even to an attacker who knows the algorithm. For any security-sensitive value, always use crypto.getRandomValues().

How many bytes should my nonce be?

It depends on the use case. For CSP nonces, 16 bytes (128 bits) is the recommended minimum — sufficient to prevent brute-force guessing. For OAuth state parameters, 16-32 bytes is standard. For CSRF tokens, 16 bytes minimum. For session IDs, 32 bytes (256 bits) provides a very comfortable security margin. The general rule: 128 bits (16 bytes) of entropy is considered computationally infeasible to brute-force with current technology. 256 bits provides security against theoretical quantum computing attacks.

What is Base64url and when should I use it?

Base64url is a URL-safe variant of Base64 encoding. Standard Base64 uses + and / characters, which have special meaning in URLs and can cause issues in query parameters, cookies, and file names. Base64url replaces + with – and / with _, and omits the = padding. Use Base64url for OAuth state parameters, URL query values, JWT tokens, cookie values, and any context where the nonce will appear in a URL or HTTP header. Use standard Base64 for CSP nonces (the spec expects standard Base64) and contexts where URL safety isn’t a concern.

広告なしで楽しみたいですか? 今すぐ広告なしで

