A form nonce is a powerful tool to block hackers.

Is Your Best Friend a Nonce?

It’s not a nice word, “nonce”. In the UK, at least, it’s a slang term for something pretty shameful. By contrast, this post’s title is shameless clickbait. But, since you’re here, let‘s talk about nonces, invisible ones and why they might be one of your website’s best friends.

What Is a Form Nonce?

Whether you’re on an app or a website, when you’re online, you’re submitting forms all the time. It may not always look like it, but you are: changing basket quantities, typing in a search term, picking your preferred insurance quote … 

In a bid to make the user’s experience flow, the explicit act of clicking a button is often hidden but we are still passing input to a computer.

When you fill in a form online – whether signing up for a newsletter, checking out in an online shop or logging into your bank – you probably think a bit about security. But when you’re just horsing around online, you probably never give it a second thought.

But just as friendly developers (like us) can relieve you of the chore of knowingly throwing data at your: favourite online store; banking app; Steam account; whatever … so can black hat developers. Malicious developers can and do create malicious form input and fling it at sensitive websites in an attempt to steal your password, money, contacts or your identity … you name it, they want it.

It’s not hard to do. Given an hour or two, we could knock up a script that creates thousands of form submissions a second and fire each at a website. If we can do it, someone bad will be.

Your website needs protection …

… and, behind the scenes, one small, powerful tool should be there doing just that: the form nonce.

If you’ve never heard of it, don’t worry. In this guide, we’ll explain what a one is, why websites use it and how it prevents some of the most common cyber attacks.

What Does the Word Mean?

The word nonce stands for “number used once”. It’s exactly what it sounds like: a unique, one-time code that a website generates whenever it shows you a form.

Here’s how it works:

  • The website creates a unique value and hides it inside the form.
  • When you press “Submit”, that value travels with your data back to the server.
  • The server checks: “is this the same value we issued?“ ”Has it been used before?”
  • If yes, your submission is accepted. If not, it’s blocked.

In plain English: a nonce is like a single-use ticket that proves your form submission is genuine. Once it’s used, it can’t be reused or copied.

Why Do Websites Need Form Nonces?

Form nonces exist to prevent a serious type of attack called Cross-Site Request Forgery (CSRF).

Here’s an easy way to understand it:

Imagine you’re logged into your online banking in one browser tab. In another tab, you’re visiting a dodgy website that tries to trick your browser into sending a money transfer request to your bank. Because you’re already logged in, the bank might think the request is from you – unless it requires a nonce.

With a nonce in place, the bank knows the difference between your real submission and a fake one. The attacker doesn’t know the unique code and can’t guess it. The request is denied, and your money stays safe.

This is why nonces are considered one of the most important defences in web application security.

Examples of Where Nonces Protect You

They aren’t just for banking. They’re quietly protecting you all over the internet:

  • E-commerce websites – preventing hackers from placing fake orders.
  • Password resets – making sure only you can change your password.
  • Profile updates – blocking attackers from changing your email or address.
  • Content management systems (like WordPress) – stopping hackers from tricking admins into publishing or deleting content.

Without nonces, these everyday actions would be far more vulnerable to cyber attacks.

Hackers will attempt to break your website by overstuffing it. A form nonce can help.

Does Every Web Form Need a Nonce?

“Need” is a strong word. There’s little risk of a Contact Form changing critical data, but hackers do use bots to flood inquiry inboxes. It’s annoying and can form part of a DDOS attack.

If the technology exists on the site to prevent malicious submissions, why wouldn’t you want to use it?

The Benefits of Using Nonces for Website Security

For website owners and developers, implementing form nonces is not optional – it’s a critical layer of security. The benefits include:

  • Protection from CSRF attacks – one of the most common web exploits.
  • Increased user trust – visitors feel safer when their data is protected.
  • Stronger account security – nonces prevent old requests from being replayed.
  • Better compliance – security features like nonces help sites meet modern security standards.

Skipping nonces is like locking your front door but leaving the back door wide open. Attackers will always look for the easiest entry point, and a missing nonce is exactly that.

Why Website Visitors Should Care

Even if you’re not a developer, understanding what a nonce does can help you make better choices online. A website that uses nonces shows that it takes security best practices seriously.

If you’re using online banking, government services, or e-commerce platforms, you’re already relying on nonces every day. They’re part of the invisible framework that keeps your details safe, along with things like HTTPS, firewalls and encryption.

How Little Fire Digital Keeps Your Website Secure

At Little Fire Digital, we know that most business owners don’t want to spend their days worrying about things like form CSRF tokens or cross-site attacks. You’ve got enough on your plate.

We know this stuff so you don’t have to. These things that make a massive difference to your website’s safety, even if you never see them. By building best-practice security measures into your site, we make sure that when your customers interact with you online, they can do so with confidence.

  • You don’t have to become a security expert.
  • You don’t have to keep up with the latest exploits.
  • You don’t even need to think about these things at all.

Instead, you can sleep easy knowing we’ve got it covered.

Want to Sleep Better at Night?

Of course you do.

Contact us today, and we can review your website using third-party tools and our years of experience. If your site is at risk, we can come up with some solid steps to keep your business safe.

*Nonce n. slang: “Not On Normal Courtyard Excercise” a term used by prison officers to describe a prisoner considered at risk of harm in the company of other prisoners – often as a result of the nature of the prisoner’s offences. Urban Dictionary

Drop Us a Line

If you have an idea of any size, scale or ambition contact us for a FREE consultation – we’d love to hear about it. 

If you’re stuck, not getting on with your developers or just unsure how to get to where you want to be online, contact us.

We’ve been doing this a long time, we really should be able to help you and, if we can’t, we ought to be able to tell you who can.

You can call us on 07967 258 776 or email us at [email protected]