nginx 1 line · 1 tab

Content Security Policy header design for modern web apps

Kai Nakamura Apr 2026
1 tab
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; object-src 'none'" always;
1 file · nginx Explain with highlit

CSP design is about reducing script execution freedom without breaking the app. I prefer nonces over unsafe-inline, keep the allowed source list tight, and roll policies out in report-only mode first. That gives teams a workable path from permissive front-end habits to something meaningfully safer.

Share this code

Here's the card — post it anywhere.

Content Security Policy header design for modern web apps — share card
Link copied