Content Security Policy (CSP) middleware issue

Answered

Chinese Chongqing Dog posted this in #help-forum

Open in Discord

Chinese Chongqing DogOP

2025-09-05T15:41:11.388Z

Hey, i have a issue where my button stops working as intended, i made a small template to better visualize the issue, on my page i have this button:

"use client";

export default function Home() {
    const handleClick = () => {
    alert('kaboom');
  };

  return (
    <div>
      <button onClick={handleClick}>
        Click me
      </button>
    </div>
  );
}

and this is my middleware (CSP):

import { NextRequest, NextResponse } from 'next/server'
 
export function middleware(request: NextRequest) {
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64')

  const cspHeader = `
    script-src 'nonce-{nonce}' 'strict-dynamic';
    object-src 'none';
    base-uri 'none';
`
  // Replace newline characters and spaces
  const contentSecurityPolicyHeaderValue = cspHeader
    .replace(/\s{2,}/g, ' ')
    .trim()
 
  const requestHeaders = new Headers(request.headers)
  requestHeaders.set('x-nonce', nonce)
 
  requestHeaders.set(
    'Content-Security-Policy',
    contentSecurityPolicyHeaderValue
  )
 
  const response = NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  })
  response.headers.set(
    'Content-Security-Policy',
    contentSecurityPolicyHeaderValue
  )
 
  return response
}

now my issue is that if i click the button the handleClick will not get executed in combination with the CSP. any ideas what could cause this and how to fix this?

Answered by Chinese Chongqing Dog

i dint figure it out yet, can you give me a template how i could implement this? the only solution i found until now is a Script in the layout which i pass the nonce too together with the rule strict-dynamic, but this doesent feel correct lol

View full answer

12 Replies

@Chinese Chongqing Dog Hey, i have a issue where my button stops working as intended, i made a small template to better visualize the issue, on my page i have this button: tsx "use client"; export default function Home() { const handleClick = () => { alert('kaboom'); }; return ( <div> <button onClick={handleClick}> Click me </button> </div> ); } and this is my middleware (CSP): tsx import { NextRequest, NextResponse } from 'next/server' export function middleware(request: NextRequest) { const nonce = Buffer.from(crypto.randomUUID()).toString('base64') const cspHeader = ` script-src 'nonce-{nonce}' 'strict-dynamic'; object-src 'none'; base-uri 'none'; ` // Replace newline characters and spaces const contentSecurityPolicyHeaderValue = cspHeader .replace(/\s{2,}/g, ' ') .trim() const requestHeaders = new Headers(request.headers) requestHeaders.set('x-nonce', nonce) requestHeaders.set( 'Content-Security-Policy', contentSecurityPolicyHeaderValue ) const response = NextResponse.next({ request: { headers: requestHeaders, }, }) response.headers.set( 'Content-Security-Policy', contentSecurityPolicyHeaderValue ) return response } now my issue is that if i click the button the `handleClick` will not get executed in combination with the CSP. any ideas what could cause this and how to fix this?

American Sable

2025-09-05T15:43:41.184Z

Next.js 14+ allows per-page CSP with next/script and nonce support.

Chinese Chongqing DogOP

2025-09-05T15:49:15.232Z

what would i need to change so the button would actually work tho, if i just have it for one page the button would still not work for this page?

@American Sable Next.js 14+ allows per-page CSP with next/script and nonce support.

American Sable

2025-09-05T16:43:21.333Z

this

should fix it

@Chinese Chongqing Dog

@American Sable should fix it

Chinese Chongqing DogOP

2025-09-05T16:45:31.202Z

i dint figure it out yet, can you give me a template how i could implement this? the only solution i found until now is a Script in the layout which i pass the nonce too together with the rule strict-dynamic, but this doesent feel correct lol

Answer

@Chinese Chongqing Dog i dint figure it out yet, can you give me a template how i could implement this? the only solution i found until now is a Script in the layout which i pass the nonce too together with the rule strict-dynamic, but this doesent feel correct lol

American Sable

2025-09-05T16:47:08.918Z

https://nextjs.org/docs/pages/guides/content-security-policy

@American Sable https://nextjs.org/docs/pages/guides/content-security-policy

Chinese Chongqing DogOP

2025-09-05T16:51:15.517Z

i cant get the nonce on the site if its a client component

@Chinese Chongqing Dog i dint figure it out yet, can you give me a template how i could implement this? the only solution i found until now is a Script in the layout which i pass the nonce too together with the rule strict-dynamic, but this doesent feel correct lol

Chinese Chongqing DogOP

2025-09-05T17:50:48.808Z

this seems to actually be the solution

@Chinese Chongqing Dog this seems to actually be the solution

American Sable

2025-09-05T17:53:20.506Z

great to hear

glad i could help