CSP for Clerk Authentication: Options, Tradeoffs, and Gotchas
If you use Clerk for auth, Content Security Policy gets awkward fast. Clerk is easy to drop into a React or Next.js app. CSP is not. The friction shows up the moment you try to lock down script-src, remove unsafe-inline, or support Clerk’s hosted flows, widgets, and frontend API calls without punching giant holes in your policy. I’ve dealt with this in production, and the pattern is always the same: auth works fine until someone turns on a real CSP, then sign-in modals break, frontend API calls fail, or a wildcard gets added “temporarily” and never leaves. ...