Nonce

If you’re choosing between CSP hashes and nonces, the short version is this: Use nonces when your page is rendered dynamically and you control the HTML response. Use hashes when the inline code is static and rarely changes. If you’re dealing with modern third-party loaders, nonce + strict-dynamic is usually the cleanest option. I’ve seen teams overcomplicate this. CSP gets much easier once you stop treating hashes and nonces as interchangeable. They solve similar problems, but they fit very different delivery models. ...

I’ve seen a lot of Rails apps with one of two CSP setups: no policy at all a policy that exists mostly to silence browser errors Neither gives you much protection. Rails actually makes CSP pretty workable, especially once you stop treating it like a static header and start treating it like application code. Here’s a real-world style case study based on the kind of policy you’ll see on production marketing and SaaS sites, including analytics, consent tooling, WebSockets, and a few legacy frontend habits that make CSP harder than it should be. ...