CSP nonces in the admin site?

carstenfuchs · December 19, 2025, 9:55pm

Hello,

when I activate a Content Security Policy with the following directives:

SECURE_CSP = {
    "object-src": [CSP.NONE],
    "base-uri": [CSP.NONE],
    "script-src": [CSP.NONCE, CSP.STRICT_DYNAMIC],
}

the Django admin site breaks, because no nonces are added to the scripts used there.

What is a good way to approach this?

stuartmaxwell · December 22, 2025, 4:32am

Yep, breaks for me too. Although I also am finding weird recursion errors too, so I think using CSP.NONCE is not recommended for now.

cliff688 · December 23, 2025, 10:33am

Hello, would you be interested in opening a ticket to report the issue?

carstenfuchs · December 23, 2025, 5:13pm

I’ve opened a ticket in the Django issue tracker:

Topic		Replies	Views
Adding CSP support to Django Django Internals	14	3645	July 17, 2025
GSOC 2023 Discussion on Security: Bring CORS and CSP into core. Mentorship	11	1427	May 6, 2023
Django-csp and css inline Templates & Frontend	1	186	January 26, 2025
Advice on CSP reporting endpoints? Using Django	10	135	December 20, 2025
CSS not loading in django admin panel The Admin	20	172	May 31, 2025