https://csp-guide.com/tags/solidstart/ Recent content in Solidstart on CSP Guide Hugo -- gohugo.io en-us Sat, 20 Jun 2026 00:00:00 +0000 https://csp-guide.com/posts/csp-for-solidjs-and-solidstart/ Sat, 20 Jun 2026 00:00:00 +0000 https://csp-guide.com/posts/csp-for-solidjs-and-solidstart/ <p>SolidJS and SolidStart sit close together, but CSP feels very different depending on which one you’re shipping.</p> <p>If you’re building a plain SolidJS SPA with Vite, CSP is mostly about locking down your static assets, avoiding inline script mistakes, and dealing with third-party analytics. If you’re building with SolidStart, CSP becomes a runtime concern too: SSR, streaming, nonce propagation, server headers, and hydration all enter the picture.</p> <p>That difference matters a lot. I’ve seen teams assume “we added a CSP header” and then discover the app only works because <code>unsafe-inline</code> quietly stayed enabled. That’s not a serious policy. That’s a polite suggestion.</p>