Strict CSP with Nonces | Payload | Page 1

night oriole May 12, 2026, 8:55 AM

#

I want to replace 'unsafe-inline' in the script-src directive with per-request nonces, so injected <script> tags no longer execute even if an attacker bypasses input sanitization.

Layer: browser-enforced via Content-Security-Policy header generated per request by Next.js middleware.

and AI tells me that there's a **risk **or two for this:
Two things commonly break: Payload admin (uses inline handlers) and any third-party script that doesn't accept a nonce. Which looks that my solution would break this.

Anyone has done this before?
Is this way of doing it correct?
Is there something I'm missing or what?

Any idea would help me 🫶

kindred voidBOT May 12, 2026, 8:55 AM

#

New Community-Help Thread Created!

Help is on the way! To mark it as solved, use the /solve command. In the meantime, here are some existing threads that may help you:

Documentation:

night oriole May 14, 2026, 10:16 AM

#

I applied the nonce for test to see if it breaks something or not but everything worked just fine. There was some just minor problems that after whitelisting some domain they got ok.
So if anyone is facing the same challenge i recommend doing it and check it on their own app.

#Strict CSP with Nonces

Documentation: