The four CSP shapes

Describe the app you are securing and the lab recommends the CSP shape that matches those constraints. The sample policy and findings rerun live as the constraints change.

App constraints

server-rendered app with request-time header controlstatic hosting / CDN-only deploymentthird-party runtime scripts are unavoidablethe app still has inline scripts that have not been migratedthe team is still in a short-lived report-only rollout window

Recommended shape

Nonce + strict-dynamic

Best default for server-rendered apps. Execution is tied to request-time trusted markup instead of a host allowlist.

default-src 'self'; script-src 'nonce-RANDOM' 'strict-dynamic'; style-src 'self' 'nonce-RANDOM'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; report-to csp-endpoint;

Migration notes

Mint a fresh nonce per response and stamp it onto every trusted inline script/style tag.
Delete host-level script allowlists once strict-dynamic is live, unless a browser support requirement says otherwise.

What the baseline analyzer still flags

infoCSP12 — upgrade-insecure-requests not set

Optional. If your app may load from a mix of http:// and https:// origins, this directive auto-upgrades requests, blocking mixed content.

fix: Add upgrade-insecure-requests if you serve over HTTPS and may have legacy http:// references.