Generating nonces for the ASAP add-on

Suppose your website or mobile app has a CSP (Content Security Policy) with script-src (a directive that controls a set of script-related privileges). In that case, you will not be able to embed the ASAP add-on using the regular code snippet. You need to modify the code to generate and pass a nonce value to the script attribute in the ASAP code snippet.

What is a nonce?

A nonce with respect to content security policy is a word or phrase used only once, and it should be so random that they are unpredictable. For example, a nonce should be a cryptographically strong random value that is at least 128 bits in length. It is also necessary that a new nonce is generated for every page load to prevent attackers from injecting arbitrary scripts bypassing CSP.

Why should you use nonces?

When you use CSP, you will need to add a nonce to every inline script block. The nonce lets the browser know that the server intended on serving this script block only if the nonce attribute in the script tag matches the nonce value in the CSP header. This way, you can use it to detect and mitigate the likes of Cross-Site Scripting (XSS) and data injection attacks.

How to generate nonce values?

From your web server, generate a random base64-encoded string of at least 128 bits of data from a cryptographically secure random number generator. Note that you must generate nonces differently each time the page loads (but, nonce only once). Here are some examples:

Nodejs Script:

const var = require( 'crypto' );
var.randomBytes(16).toString( 'base64' );
// '6JDFIvPbrWANKpSJ8vlv6b=='

Java:

String nonce = new String(DigestUtils.md5Hex(String.valueOf(new SecureRandom().nextLong())));

Python Script:

def GetCspNonce():
"""Returns a random nonce."""
NONCE_LENGTH = 16
return base64.b64encode(os.urandom(NONCE_LENGTH))

Next Steps Learn more

Now that you have generated a nonce value, the next step is to:

Pass the nonce value to the script-src directive of the Content-Security-Policy header (prepend nonce-).
Pass the same nonce value to the script attribute in the ASAP code snippet.

Zoho CRM Training Programs

Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

Redefine the way you work

with Zoho Workplace

Start your free trial

Zoho DataPrep Personalized Demo

If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

Create, share, and deliver

beautiful slides from anywhere.

Get Started Now

Zoho Sign now offers specialized one-on-one training for both administrators and developers.

BOOK A SESSION

Zoho Workerly Home
Forums
Connect With Us:

Zoho Recruit Home
Forums
Connect With Us:

Start tracking your website metrics today

Use PageSense to understand what your visitors are looking for, how they are behaving, and where they are facing problems on your website.

Ready to improve your website's performance?

Install the PageSense code snippet on your site in a matter of minutes and start collecting in-depth data about the website visitors to grow your business.

Track and measure every business goal

Set up goals in PageSense to measure every single action performed by visitors on your website like button or link clicks, form submissions, and page engagements.

Understand the customer journey on your website

Create funnels in PageSense to quickly see which pages visitors use to enter your website, where they navigate to next, and which pages they decide to leave without converting.

Visualize your visitor's behavior with color codes

Set up heatmaps in PageSense to see where users have clicked more, how far they've scrolled, and on which parts of a page they've spent the most time using color-coded patterns in reports.

Measure customer engagement with your web forms

Use form analytics in PageSense to see how people interact with different fields in your form, whether they complete the form successfully or not, and where exactly they drop out on your form.

Record real visitor interactions on your website

Use session recordings in PageSense to watch a video of all the visitor actions performed on your website including the pages they navigate, the buttons they click, the UX issues they face, and more.

Test and optimize webpages for better conversions

Run A/B or Split URL tests in PageSense to figure out which version of your web page works best for your business and results in the best conversion rate.

Give each customer a unique website experience

Use personalization in PageSense to deliver customized versions of your website for every individual customer based on their demographics, local weather, browsing history, and more.

Grow your business through customer feedback

Run polls on your website using PageSense to understand what your customers think about your products/services and what needs improvement on your site.

Send timely updates that customers love

Use web push notifications in PageSense to schedule and notify your customers about an upcoming flash sale, product releases, promotional coupons, and a lot more that can spark conversions on your website.

Advertise your business to website visitors

Use pop-ups in PageSense to instantly grab the attention of visitors by showing attractive signup offers, coupon code discounts, or email newsletters that can eventually convert them into subscribers.

Access more advanced settings in PageSense

Use PageSense's advanced features like creating mutually exclusive groups, enabling cross-domain tracking, configuring customized project JS, and more to get deeper insights about your website.

Try easy-to-use extensions

Download the PageSense extension app available for your web browser with a few clicks and start collecting all of your required website metrics in real time.

Discover your favorite integrations with PageSense

Get a deeper look at your website's data by seamlessly integrating PageSense with a host of popular third-party apps like Google Analytics, Mixpanel, Intercom, and more.

Quick Links	Workflow Automation	Data Collection
Web Forms	Enterprise	Begin Data Collection
Interactive Forms	Workplace	Data Collection App
Offline Forms	Customer Service	Accessible Forms
Digital Forms	Marketing	Forms for Small Business
HTML Forms	Education	Zoho Forms for Enterprise
Contact Forms	E-commerce
Lead Generation Forms	Healthcare
Wordpress Forms	Customer onboarding
No Code Forms	Construction
Free Forms	Travel
Prefill Forms	Non-Profit
Intake Forms
Form Designer
Card Forms
Assign Forms
Translate Forms
Electronic Forms
Notification Emails for Forms
Holiday Forms
Form to PDF
Email Forms CRM Forms Embeddable Forms Drag and Drop form builder

Zoho Pagesense Resources

You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.

New to Zoho Survey?

Access Zoho Survey

Latest Feature Updates

Explore our Pricing & Plans

Zoho Survey Resources

Android Mobile Surveys

Insurvey Blogs

Insight Blogs

Tips & Tricks

New to Zoho Social?

Manage your brands on social media

Access Zoho Social

Zoho Desk Resources

Desk Community Learning Series
Digest
Functions
Meetups
Kbase
Resources
Glossary
Desk Marketplace
MVP Corner
Word of the Day

Zoho Sheet Resources

New to Zoho Forms?

Latest Feature Updates

Explore our Pricing & Plans

Zoho Forms Resources

Secure your business

communication with Zoho Mail

Get started

Mail on the move with

Zoho Mail mobile application

Go Mobile

Stay on top of your schedule

at all times

Get started

Carry your calendar with you

Anytime, anywhere

Get started

Latest Announcements

New to Zoho Sign?

Zoho Sign Resources

Sign, Paperless!

Sign and send business documents on the go!

Get Started Now

Zoho SalesIQ Resources

New to Zoho TeamInbox?

Zoho TeamInbox Resources

Connect with us

New to Zoho ZeptoMail?

LEARN MORE

Latest Feature Updates

Zoho DataPrep Resources

New to Zoho DataPrep?

Access Zoho DataPrep

Zoho DataPrep Demo

Get a personalized demo or POC

Design. Discuss. Deliver.

Create visually engaging stories with Zoho Show.

Get Started Now

New to Zoho Workerly?

Access Zoho Workerly

New to Zoho Recruit?

Access Zoho Recruit

New to Zoho CRM?

Signup Now

Access Zoho CRM

Latest Feature Updates

New to Zoho Projects?

Access Zoho Projects

New to Zoho Sprints?

Access Zoho Sprints

You are currently viewing the help articles of Sprints 1.0. If you are a user of 2.0, please refer here.

You are currently viewing the help articles of Sprints 2.0. If you are a user of 1.0, please refer here.

New to Zoho Assist?

Access Zoho Assist

New to Bigin?

Signup Now

Access Bigin

Latest Feature Updates

Related Articles
Embedding the ASAP Add-On on Sites with a Content Security Policy
Injection-based attacks are some of the most severe and harmful security threats that websites/web apps face. Having a Content Security Policy (CSP) is a powerful way to guard against such attacks. If your website/app has a CSP with the script-src ...
Working with the ASAP Add-On for the Web
Introduction The ASAP add-on for websites makes your help center available within quick reach for your end-customers. By embedding this add-on with your website, you can provide your customers with easy access to your: Customer support team (to raise ...
Debugging JWT-Related Errors While Configuring the ASAP Add-On
While setting up an ASAP add-on for your web/mobile app, you might encounter an error related to JSON Web Token (JWT) configuration. It is essential to debug this error because user authentication in the ASAP add-on is possible only through JWTs. ...
Understanding the enhanced JWT mechanism for Authenticating Users in the ASAP Add-Ons
Types of Users End-users can be categorized as guests or authenticated users based on how they log in to the ASAP add-on. Guest Users Guests are users who do not sign in while logging in to the ASAP add-ons. They can access the Knowledge Base module, ...
Working with the ASAP SDK for React Native
The ASAP SDK for React Native makes help available within quick reach for the end-users of your mobile app. Using this SDK, you can add and customize an add-on that resides within your iOS/Android app and provides end-users with easy access to your: ...