That is what I meant by the phrase, The vulnerability to things like replay attacks is controllable on the server side in how it produces and verifies what the nonce was.

However it is good to make it clear how you avoid replays, and why you would want to.