diff --git a/src/main/docs/guide/views/security/csp.adoc b/src/main/docs/guide/views/security/csp.adoc
index 6b92ee019..029f0eb4f 100644
--- a/src/main/docs/guide/views/security/csp.adoc
+++ b/src/main/docs/guide/views/security/csp.adoc
@@ -42,6 +42,14 @@ That's it! After applying the above configuration, HTTP responses might include
 Content-Security-Policy: default-src https: self:; script-src 'nonce-4ze2IRazk4Yu/j5K6SEzjA';
 ```
 
+The nonce value can be accessed on the server as a request attribute named `cspNonce`. This is the value to use
+in the `nonce` attribute on `script` and related tags.  For example (adapt as appropriate for your template language):
+
+[source,html]
+----
+<script type="text/javascript" src="/path/to/script.js" nonce="${cspNonce}" />
+----
+
 Inline scripts which aren't otherwise whitelisted will be declined for execution, unless CSP is operating in report-only
 mode. Inline scripts can be whitelisted with the syntax: