rinafcode · RUKAYAT-CODER · Jun 29, 2026 · Jun 29, 2026
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
@@ -1,5 +1,5 @@
 import type { Metadata } from 'next';
-import { cookies } from 'next/headers';
+import { cookies, headers } from 'next/headers';
 import { Geist, Geist_Mono } from 'next/font/google';
 import Script from 'next/script';
 import './globals.css';
@@ -49,9 +49,10 @@ export default async function RootLayout({
 }: Readonly<{
   children: React.ReactNode;
 }>) {
-  const cookieStore = await cookies();
+  const [cookieStore, headersList] = await Promise.all([cookies(), headers()]);
   const themeCookie = cookieStore.get('theme');
   const defaultTheme = themeCookie ? themeCookie.value : 'system';
+  const cspNonce = headersList.get('x-csp-nonce') ?? '';
 
   // Read persisted locale to server-render the correct lang/dir on <html> —
   // avoids a hydration flash for RTL users.
@@ -80,7 +81,7 @@ export default async function RootLayout({
   return (
     <html lang={locale} dir={dir} suppressHydrationWarning>
       <head>
-        <script dangerouslySetInnerHTML={{ __html: themeScript }} />
+        <script nonce={cspNonce} dangerouslySetInnerHTML={{ __html: themeScript }} />
       </head>
       <body
         className={`${geistSans.variable} ${geistMono.variable} antialiased bg-white text-gray-900 transition-colors duration-200 dark:bg-gray-950 dark:text-gray-50 flex flex-col min-h-screen`}
@@ -96,10 +97,11 @@ export default async function RootLayout({
           <Script
             src={`https://www.googletagmanager.com/gtag/js?id=${process.env.NEXT_PUBLIC_ANALYTICS_ID}`}
             strategy="lazyOnload"
+            nonce={cspNonce}
           />
         )}
         {process.env.NEXT_PUBLIC_ANALYTICS_ID && (
-          <Script id="analytics-init" strategy="lazyOnload">
+          <Script id="analytics-init" strategy="lazyOnload" nonce={cspNonce}>
             {`
               window.dataLayer = window.dataLayer || [];
               function gtag(){dataLayer.push(arguments);}

diff --git a/src/middleware.ts b/src/middleware.ts
@@ -19,6 +19,9 @@ export function middleware(request: NextRequest) {
   const traceId = crypto.randomUUID();
   request.headers.set('x-trace-id', traceId);
 
+  const cspNonce = crypto.randomUUID();
+  request.headers.set('x-csp-nonce', cspNonce);
+
   // Handle redirects first (early in the chain)
   const redirectResponse = handleRedirects(request);
   if (redirectResponse) {
@@ -33,7 +36,7 @@ export function middleware(request: NextRequest) {
   const withHeaders = (response: NextResponse) => {
     response.headers.set('x-trace-id', traceId);
     const withSecurity = applySecurityHeaders(response, request);
-    return applyCspHeaders(withSecurity, request);
+    return applyCspHeaders(withSecurity, request, cspNonce);
   };
 
   const permissionResponse = checkRoutePermission(request, userRole);

diff --git a/src/middleware/csp.ts b/src/middleware/csp.ts
@@ -1,11 +1,7 @@
 import { type NextResponse, type NextRequest } from 'next/server';
 
-const NONCE_BYTES = 16;
-
 export function generateNonce(): string {
-  const bytes = new Uint8Array(NONCE_BYTES);
-  crypto.getRandomValues(bytes);
-  return Buffer.from(bytes).toString('base64');
+  return crypto.randomUUID();
 }
 
 export interface CspOptions {
@@ -43,12 +39,12 @@ export function buildCspHeader(options: CspOptions): string {
     .join('; ');
 }
 
-export function applyCspHeaders(response: NextResponse, request: NextRequest): NextResponse {
-  const nonce = generateNonce();
-  const csp = buildCspHeader({ nonce, strict: true });
+export function applyCspHeaders(response: NextResponse, _request: NextRequest, nonce?: string): NextResponse {
+  const cspNonce = nonce ?? generateNonce();
+  const csp = buildCspHeader({ nonce: cspNonce, strict: true });
 
   response.headers.set('Content-Security-Policy', csp);
-  response.headers.set('X-Nonce', nonce);
+  response.headers.set('X-Nonce', cspNonce);
 
   return response;
 }