CSPStatic Security ToolsTooling for static and headless sites
Home/CSP for Next.js
Scenario

CSP for Next.js

Next.js can be static, server-rendered, streamed, or edge-rendered, so the safest rollout is to start with a minimal policy, observe real requests, and then tighten by deployment mode.

What usually matters most

  • script-src for /_next assets and third-party scripts.
  • style-src for CSS-in-JS or framework-generated style tags.
  • img-src for remote images and previews.
  • connect-src for APIs, analytics, and streaming.

Common pattern

Use nonce-based CSP when rendering dynamically through middleware or edge logic. Use hash-based exceptions only for fixed inline snippets.