The generated nonce should be a base64-value derived from at least 16 bytes of secure random data This limits the character set to characters safe for use in HTML attributes and HTTP headers. For more ...