Content-security-policy (CSP) is an HTTP header added to webpage which controls what resource an webpage is allowed to load and from which origin. The policy is specified as directive list shown in example below. But this list based policy is vulnerable to cross-site-scripting hence an attacker can inject malicious script into website.
To overcome this, Content-Security-Policy based on nonce or hash is used. Nonce is an random number which marks tag as trusted. It can be used only once. In a nonce based CSP, a random number is generated at runtime. This number is set as value of attribute of CSP. It is also set as value of nonce attribute of tag. The Borwser compares these two value and loads the script only if they are equal.
Content-Security-Policy: script-src 'nonce-random_number'
An attacker cannot run an malicious script because he does not know the value of correct nonce which is randomly generated. It is necessary that nonce must be different for every response and must not be predictable.
You can read the complete article at below link.