CSP Nonce Injection Through the Entire Stack: Express SSR → NGINX → Browser
Most developers know Content-Security-Policy exists. Fewer have actually shipped an enforcing policy. And almost nobody talks about the part that makes nonce-based CSP genuinely hard: making it work correctly across an SSR caching layer, a reverse proxy, and a browser that will block your entire page if a single <style> tag is missing its nonce. […]