byte[] nonce3 = gcmContext.generateNonce();

        // Then - Nonces should be unique (SMB3 compliant: random + counter)
        assertFalse(Arrays.equals(nonce1, nonce2), "Nonces should be different");
        assertFalse(Arrays.equals(nonce2, nonce3), "Nonces should be different");
        assertFalse(Arrays.equals(nonce1, nonce3), "Nonces should be different");

        // Nonces should have proper size

            java.util.Arrays.fill(this.nonce, (byte) 0);
            System.arraycopy(nonce, 0, this.nonce, 0, 12);
        } else if (nonce.length == 16) {
            // For GCM cipher, use full 16-byte nonce
            System.arraycopy(nonce, 0, this.nonce, 0, 16);
        } else {
            throw new IllegalArgumentException("Nonce must be 12 bytes (CCM) or 16 bytes (GCM)");
        }

        return metrics;
    }

    /**
     * Generate a unique nonce for encryption following SMB3 specification.
     * Uses SMB3-compliant nonce generation with guaranteed uniqueness.
     *
     * @return nonce appropriate for the dialect (16 bytes for GCM, 12 bytes for CCM)
     */
    public byte[] generateNonce() {
        final byte[] nonce = new byte[isGCMCipher() ? 16 : 12];

        if (isGCMCipher()) {

          "www.google.com",
          "www.state.pa.us",
          "www4.yahoo.co.uk"
          // keep-sorted end
          );

  private static final ImmutableSet<String> NON_RS =
      ImmutableSet.<String>builder().addAll(NON_PS).addAll(PS_NOT_RS).build();

  private static final ImmutableSet<String> TOP_UNDER_REGISTRY_SUFFIX =
      ImmutableSet.of("google.com", "foo.Co.uk", "foo.ca.us.");

  @Test fun testDigestChallengeWithStrictRfc2617Header() {
    val headers =
      Headers
        .Builder()
        .add(
          "WWW-Authenticate",
          "Digest realm=\"myrealm\", nonce=\"fjalskdflwejrlaskdfjlaskdjflaks" +
            "jdflkasdf\", qop=\"auth\", stale=\"FALSE\"",
        ).build()
    val challenges = headers.parseChallenges("WWW-Authenticate")
    assertThat(challenges.size).isEqualTo(1)

            }

            final String nonce = (String) claimsSet.getClaim("nonce");
            if (logger.isDebugEnabled()) {
                logger.debug("nonce: {}", nonce);
            }
            if (StringUtils.isEmpty(nonce) || !nonce.equals(stateData.getNonce())) {
                throw new SsoLoginException("could not validate nonce");
            }

```Python
from typing import Union
from fastapi import Cookie, FastAPI, Header, Path, Query

app = FastAPI()


@app.get("/items/{item_id}")
def main(
    item_id: int = Path(gt=0),
    query: Union[str, None] = Query(default=None, max_length=10),
    session: Union[str, None] = Cookie(default=None, min_length=3),

### Response HTTPS

El TLS Termination Proxy entonces **encriptaría el response** usando la criptografía acordada antes (que comenzó con el certificado para `someapp.example.com`), y lo enviaría de vuelta al navegador.

Luego, el navegador verificaría que el response sea válido y encriptado con la clave criptográfica correcta, etc. Entonces **desencriptaría el response** y lo procesaría.

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and