From 0c0634991798add106ffac1303ec2b92b883eca5 Mon Sep 17 00:00:00 2001
From: vishalpatil-45 <vishalvpatil45@gmail.com>
Date: Mon, 16 Feb 2026 01:53:46 +0530
Subject: [PATCH] Security: Implement native Django 6.0 Content Security Policy

- Integrated ContentSecurityPolicyMiddleware into settings.
- Configured SECURE_CSP using Django 6.0 utilities for SELF and NONCE.
- Added csp_nonce to base templates for inline script compatibility.
- Enabled SECURE_CSP_REPORT_ONLY for initial policy auditing.
- Fixes #468

Signed-off-by: vishalpatil-45 <vishalvpatil45@gmail.com>
---
 CSP_VERIFICATION_GUIDE.md                     | 119 ++++++++++++++++++
 add_nonces_to_templates.py                    |  61 +++++++++
 .../component_catalog/add_to_product.html     |   2 +-
 .../component/delete_packages_js.html         |   2 +-
 .../templates/admin/set_policy_base.html      |   2 +-
 .../base_component_package_details.html       |   2 +-
 .../base_component_package_list.html          |   2 +-
 .../includes/add_package_modal.html           |   2 +-
 .../component_catalog/includes/add_to.js.html |   2 +-
 .../includes/scan_matches_modal.html          |   2 +-
 .../scan_summary_to_package_modal.html        |   2 +-
 .../includes/scan_to_package_modal.html       |   2 +-
 .../component_catalog/package_form.html       |   2 +-
 .../component_catalog/scan_list.html          |   2 +-
 .../tabs/field_key_files_table.html           |   2 +-
 .../component_catalog/tabs/tab_scan.html      |   4 +-
 dejacode/settings.py                          |  22 ++++
 dje/templates/account/profile.html            |   2 +-
 dje/templates/admin/base_site.html            |   2 +-
 dje/templates/admin/docs/models.html          |   2 +-
 .../admin/includes/activity_log_dialog.html   |   2 +-
 .../admin/includes/search_help_dialog.html    |   2 +-
 dje/templates/admin/mass_update.html          |   2 +-
 dje/templates/admin/object_import.html        |   2 +-
 dje/templates/bootstrap_base_js.html          |   2 +-
 dje/templates/global_search.html              |   2 +-
 dje/templates/hierarchy_base.js.html          |   2 +-
 .../includes/dependencies-json-viewer.js.html |   2 +-
 dje/templates/includes/require_js.html        |   2 +-
 dje/templates/object_details_base.html        |   2 +-
 dje/templates/object_form.html                |   2 +-
 dje/templates/object_list_base.html           |   2 +-
 dje/templates/version_grouping_script.html    |   2 +-
 dje/templates/widgets/autocomplete.html       |   2 +-
 .../license_library/license_details.html      |   2 +-
 .../license_library/license_list.html         |   2 +-
 .../includes/owner_hierarchy.js.html          |   2 +-
 .../product/change_form.html                  |   2 +-
 .../product_portfolio/import_from_scan.html   |   2 +-
 .../import_manifests_form.html                |   2 +-
 .../product_portfolio/load_sboms_form.html    |   2 +-
 .../modals/pull_project_data_modal.html       |   2 +-
 .../modals/scancode_project_status_modal.html |   2 +-
 .../product_portfolio/object_manage_grid.html |   2 +-
 .../product_portfolio/product_details.html    |  12 +-
 .../product_portfolio/product_list.html       |   2 +-
 .../product_tree_comparison.html              |   2 +-
 .../product_portfolio/tabs/tab_codebase.html  |   2 +-
 .../product_portfolio/tabs/tab_inventory.html |   2 +-
 .../reporting/columntemplate/change_form.html |   2 +-
 .../admin/reporting/inline_sortable_fix.html  |   2 +-
 .../admin/reporting/query/change_form.html    |   2 +-
 .../workflow/requesttemplate/change_form.html |   4 +-
 .../templates/workflow/request_details.html   |   2 +-
 workflow/templates/workflow/request_form.html |   2 +-
 workflow/templates/workflow/request_list.html |   2 +-
 56 files changed, 262 insertions(+), 60 deletions(-)
 create mode 100644 CSP_VERIFICATION_GUIDE.md
 create mode 100644 add_nonces_to_templates.py

diff --git a/CSP_VERIFICATION_GUIDE.md b/CSP_VERIFICATION_GUIDE.md
new file mode 100644
index 00000000..de4c914e
--- /dev/null
+++ b/CSP_VERIFICATION_GUIDE.md
@@ -0,0 +1,119 @@
+# Django 6.0 CSP Security Implementation - Verification Guide
+
+## Summary of Changes
+
+### Step 4: Middleware Configuration ✅
+- **File**: `dejacode/settings.py`
+- **Change**: Added `django.middleware.security.ContentSecurityPolicyMiddleware` after `SecurityMiddleware`
+- **Location**: Line 176
+- **Status**: ✅ Complete
+
+### Step 5: CSP Dictionary Configuration ✅
+- **File**: `dejacode/settings.py`
+- **Changes**:
+  - Imported CSP utility: `from django.utils.csp import CSP` (Line 18)
+  - Added CSP configuration starting at line 205
+  - Set `SECURE_CSP_REPORT_ONLY = True` for initial audit phase
+  - Configured CSP directives:
+    - `default-src`: `[CSP.SELF]` - Only allow same-origin content by default
+    - `script-src`: Allows self, nonces, and CloudFront CDN
+    - `style-src`: Allows self, Google Fonts, and CloudFront CDN
+    - `img-src`: Allows self, data URIs, and HTTPS sources
+    - `connect-src`: Allows self (for API calls to PurlDB/VulnerableCode)
+- **Status**: ✅ Complete
+
+### Step 6: Template Updates with Nonce Support ✅
+- **Method**: Automated Python script (`add_nonces_to_templates.py`)
+- **Results**:
+  - Processed: 254 HTML template files
+  - Updated: 52 files with nonce attributes
+  - Pattern Applied: `<script nonce="{{ request.csp_nonce }}">`
+  
+**Key Templates Updated**:
+- `dje/templates/bootstrap_base_js.html` - Base JavaScript template with inline client data
+- `component_catalog/templates/`  - Multiple component catalog templates
+- `product_portfolio/templates/` - Product portfolio templates
+- `workflow/templates/` - Workflow templates
+- And 48 other template files with inline scripts
+
+### Step 7: Verification Procedure
+
+When Docker is available on your system, follow these steps to verify the CSP implementation:
+
+#### Build and Run
+```bash
+cd path/to/dejacode
+docker compose up --build
+```
+
+#### Verify Headers in Browser
+1. Open your browser's Developer Tools (F12)
+2. Navigate to Network tab
+3. Refresh the page and click the main document
+4. In the Response Headers section, look for:
+   - `Content-Security-Policy-Report-Only` (in Report-Only mode)
+   - Should show the CSP directives we configured
+
+#### Sample Expected Header
+```
+Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'nonce-XXXXX' https://cdnjs.cloudflare.com; style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self'
+```
+
+#### Check Browser Console
+1. Open the Console tab in DevTools
+2. Look for CSP violation reports (should be minimal if nonces are working)
+3. Any blocked resources will appear here
+
+#### Monitor CSP Violations
+- CSP violations are logged in Report-Only mode
+- Review the console for any blocked resources
+- Add additional domains to `SECURE_CSP` if needed:
+  ```python
+  SECURE_CSP["script-src"].append("https://additional-domain.com")
+  ```
+
+#### Transitioning to Enforced CSP
+Once you've verified all required domains:
+1. Change `SECURE_CSP_REPORT_ONLY = False` in settings.py
+2. Redeploy and monitor for any CSP violations
+3. If violations occur, add the missing domains and redeploy
+
+## Security Benefits
+
+✅ **XSS Protection**: Inline script execution is restricted to those with valid nonces  
+✅ **Unauthorized Content Blocking**: External scripts/styles from non-whitelisted origins are blocked  
+✅ **Audit Trail**: Report-Only mode allows testing without breaking functionality  
+✅ **CSP Nonce Support**: Django 6.0's automatic nonce generation for each request  
+
+## Files Modified
+
+| File | Changes |
+|------|---------|
+| `dejacode/settings.py` | Added CSP import, middleware, and configuration |
+| `dje/templates/bootstrap_base_js.html` | Added nonce to inline script |
+| 51 additional template files | Added nonce attributes to inline scripts |
+
+## Notes for Production
+
+1. **Report-Only Phase**: Keep `SECURE_CSP_REPORT_ONLY = True` initially to identify all required domains
+2. **Monitoring**: Monitor browser console and CSP reports during testing
+3. **Domain Whitelist**: Review and validate all whitelisted domains for security
+4. **Performance**: CSP has minimal performance impact
+5. **Browser Support**: CSP is supported in all modern browsers
+
+## Troubleshooting
+
+**Issue**: CSP violations in console  
+**Solution**: Check the Resource Name and add missing domain to appropriate CSP directive
+
+**Issue**: Inline scripts not executing  
+**Solution**: Verify nonce is present in template `{{ request.csp_nonce }}`
+
+**Issue**: Inline styles not applying  
+**Solution**: Verify CSS files are externalized or domains are whitelisted in `style-src`
+
+## References
+
+- Django 6.0 Security Features: https://docs.djangoproject.com/en/6.0/topics/security/
+- Content Security Policy Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+- CSP Nonce: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
diff --git a/add_nonces_to_templates.py b/add_nonces_to_templates.py
new file mode 100644
index 00000000..6efa356e
--- /dev/null
+++ b/add_nonces_to_templates.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+"""
+Helper script to add nonce attributes to all inline <script> tags in HTML templates.
+This ensures CSP compliance for inline scripts in DejaCode.
+
+Usage: python add_nonces_to_templates.py
+"""
+
+import re
+from pathlib import Path
+
+def add_nonce_to_scripts(file_path):
+    """
+    Add nonce="{{ request.csp_nonce }}" attribute to inline <script> tags.
+    Skips script tags that already have nonce attributes or have src attributes.
+    """
+    with open(file_path, 'r', encoding='utf-8') as f:
+        content = f.read()
+    
+    original_content = content
+    
+    # Pattern to match <script> tags without src attribute and without nonce
+    # This matches: <script> but not <script src="..." or <script nonce="..."
+    pattern = r'<script(?![^>]*(?:src|nonce)[^>]*?)>'
+    
+    # Replace with <script nonce="{{ request.csp_nonce }}">
+    updated_content = re.sub(
+        pattern,
+        '<script nonce="{{ request.csp_nonce }}">',
+        content
+    )
+    
+    # Only write if changes were made
+    if updated_content != original_content:
+        with open(file_path, 'w', encoding='utf-8') as f:
+            f.write(updated_content)
+        return True
+    return False
+
+def main():
+    """Find and update all HTML template files with inline scripts."""
+    
+    # Find all HTML files in templates directories
+    templates_dir = Path('.')
+    html_files = list(templates_dir.glob('**/templates/**/*.html'))
+    
+    updated_count = 0
+    total_count = 0
+    
+    for html_file in sorted(html_files):
+        total_count += 1
+        if add_nonce_to_scripts(html_file):
+            updated_count += 1
+            print(f"✓ Updated: {html_file}")
+        else:
+            print(f"  Skipped: {html_file}")
+    
+    print(f"\n✓ Processed {total_count} files, updated {updated_count} files with nonce attributes")
+
+if __name__ == '__main__':
+    main()
diff --git a/component_catalog/templates/admin/component_catalog/add_to_product.html b/component_catalog/templates/admin/component_catalog/add_to_product.html
index a1621436..b2c0b375 100644
--- a/component_catalog/templates/admin/component_catalog/add_to_product.html
+++ b/component_catalog/templates/admin/component_catalog/add_to_product.html
@@ -65,7 +65,7 @@ <h2>The following {% trans opts.verbose_name_plural %} will be added to the prod
 
 {% block javascripts %}
     {{ block.super }}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         (function($) {
             document.addEventListener('DOMContentLoaded', function () {
                 var api_url = "{% url 'api_v2:product-list' %}";
diff --git a/component_catalog/templates/admin/component_catalog/component/delete_packages_js.html b/component_catalog/templates/admin/component_catalog/component/delete_packages_js.html
index 53f98e8d..2320c139 100644
--- a/component_catalog/templates/admin/component_catalog/component/delete_packages_js.html
+++ b/component_catalog/templates/admin/component_catalog/component/delete_packages_js.html
@@ -1,4 +1,4 @@
-<script>
+<script nonce="{{ request.csp_nonce }}">
     (function($) {
         document.addEventListener('DOMContentLoaded', function () {
             // the `form` is only available if not perms_lacking and not protected
diff --git a/component_catalog/templates/admin/set_policy_base.html b/component_catalog/templates/admin/set_policy_base.html
index 69193e81..47797ab1 100644
--- a/component_catalog/templates/admin/set_policy_base.html
+++ b/component_catalog/templates/admin/set_policy_base.html
@@ -39,7 +39,7 @@
 
 {% block javascripts %}
     {{ block.super }}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         (function ($) {
             document.addEventListener('DOMContentLoaded', function () {
                 $('#action-toggle').on('change', function(e) {
diff --git a/component_catalog/templates/component_catalog/base_component_package_details.html b/component_catalog/templates/component_catalog/base_component_package_details.html
index 9fa70d9d..244275e8 100644
--- a/component_catalog/templates/component_catalog/base_component_package_details.html
+++ b/component_catalog/templates/component_catalog/base_component_package_details.html
@@ -24,7 +24,7 @@
   <script src="{% static 'json-viewer/jquery.json-viewer-1.4.0.js' %}" integrity="sha384-mCd7P/7rxz1zpQAb195/BFZG4pDkLO6GdkRi772EZRiLTGdfnlhC74NrrwtSHvBI" crossorigin="anonymous"></script>
   {% include 'includes/dependencies-json-viewer.js.html' %}
   {% if open_add_to_package_modal %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       document.addEventListener('DOMContentLoaded', function () {
         $('#add-to-product-modal').modal('show');
       });
diff --git a/component_catalog/templates/component_catalog/base_component_package_list.html b/component_catalog/templates/component_catalog/base_component_package_list.html
index 8d1617de..4ee53da0 100644
--- a/component_catalog/templates/component_catalog/base_component_package_list.html
+++ b/component_catalog/templates/component_catalog/base_component_package_list.html
@@ -46,7 +46,7 @@
     {% include 'component_catalog/includes/add_to.js.html' %}
   {% endif %}
 
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     $(document).ready(function () {
       let download_aboutcode_btn = $('#download-aboutcode-files');
       let download_aboutcode_wrapper = download_aboutcode_btn.parent();
diff --git a/component_catalog/templates/component_catalog/includes/add_package_modal.html b/component_catalog/templates/component_catalog/includes/add_package_modal.html
index 9f214c78..fdff1e3e 100644
--- a/component_catalog/templates/component_catalog/includes/add_package_modal.html
+++ b/component_catalog/templates/component_catalog/includes/add_package_modal.html
@@ -53,7 +53,7 @@ <h5 class="modal-title">Add Package</h5>
 </div>
 
 <script src="{% static 'js/csrf_header.js' %}" integrity="sha384-H61e46QMjASwnZFb/rwCl9PANtdqt1dbKU8gnGOh9lIGQEoi1B6qkWROHnrktD3R" crossorigin="anonymous"></script>
-<script>
+<script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
         $('#add-package-modal').on('shown.bs.modal', function () {
             $("#download-urls").focus();
diff --git a/component_catalog/templates/component_catalog/includes/add_to.js.html b/component_catalog/templates/component_catalog/includes/add_to.js.html
index addd795f..01d44afd 100644
--- a/component_catalog/templates/component_catalog/includes/add_to.js.html
+++ b/component_catalog/templates/component_catalog/includes/add_to.js.html
@@ -1,4 +1,4 @@
-<script>
+<script nonce="{{ request.csp_nonce }}">
   document.addEventListener('DOMContentLoaded', function () {
     let add_to_btn = document.getElementById('add-to-btn');
     let add_to_btn_wrapper = add_to_btn.parentElement;
diff --git a/component_catalog/templates/component_catalog/includes/scan_matches_modal.html b/component_catalog/templates/component_catalog/includes/scan_matches_modal.html
index 79b2c860..6b93acaf 100644
--- a/component_catalog/templates/component_catalog/includes/scan_matches_modal.html
+++ b/component_catalog/templates/component_catalog/includes/scan_matches_modal.html
@@ -16,7 +16,7 @@ <h5 class="modal-title">
   </div>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
   document.getElementById('scan-matches-modal').addEventListener('show.bs.modal', function(event) {
     let modal = event.target;
     let button = event.relatedTarget;
diff --git a/component_catalog/templates/component_catalog/includes/scan_summary_to_package_modal.html b/component_catalog/templates/component_catalog/includes/scan_summary_to_package_modal.html
index 4c1ff58b..acb2ac8f 100644
--- a/component_catalog/templates/component_catalog/includes/scan_summary_to_package_modal.html
+++ b/component_catalog/templates/component_catalog/includes/scan_summary_to_package_modal.html
@@ -19,7 +19,7 @@ <h5 class="modal-title">Set values from Scan Summary to Package</h5>
   </div>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
   const ScanSummarylicenseExpressionInputIds = [
     'id_scan-summary-to-package-license_expression',
     'id_scan-summary-to-package-declared_license_expression',
diff --git a/component_catalog/templates/component_catalog/includes/scan_to_package_modal.html b/component_catalog/templates/component_catalog/includes/scan_to_package_modal.html
index 5380dea9..3ba3822f 100644
--- a/component_catalog/templates/component_catalog/includes/scan_to_package_modal.html
+++ b/component_catalog/templates/component_catalog/includes/scan_to_package_modal.html
@@ -19,7 +19,7 @@ <h5 class="modal-title">Set values from Scan to Package</h5>
   </div>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
   const ScanToPackagelicenseExpressionInputIds = [
     'id_scan-to-package-license_expression',
     'id_scan-to-package-declared_license_expression',
diff --git a/component_catalog/templates/component_catalog/package_form.html b/component_catalog/templates/component_catalog/package_form.html
index f163cab3..e226e257 100644
--- a/component_catalog/templates/component_catalog/package_form.html
+++ b/component_catalog/templates/component_catalog/package_form.html
@@ -2,7 +2,7 @@
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       function build_purl(type, namespace, name, version, qualifiers, subpath) {
         if (!type || !name) return '';
diff --git a/component_catalog/templates/component_catalog/scan_list.html b/component_catalog/templates/component_catalog/scan_list.html
index b4cd47a0..383f280f 100644
--- a/component_catalog/templates/component_catalog/scan_list.html
+++ b/component_catalog/templates/component_catalog/scan_list.html
@@ -35,7 +35,7 @@
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       document.querySelectorAll('.scan_delete_link').forEach(link => {
         link.addEventListener('click', function() {
diff --git a/component_catalog/templates/component_catalog/tabs/field_key_files_table.html b/component_catalog/templates/component_catalog/tabs/field_key_files_table.html
index 065f378c..0c8b4dc6 100644
--- a/component_catalog/templates/component_catalog/tabs/field_key_files_table.html
+++ b/component_catalog/templates/component_catalog/tabs/field_key_files_table.html
@@ -66,7 +66,7 @@ <h5 class="modal-title"></h5>
 {% if forloop.last %}</dl>{% endif %}
 
 <script src="{% static 'js/jquery.mark-8.11.1.min.js' %}" integrity="sha384-iqnguDoMujGknA4B5Jk7pbSn7sb7M8Tc0zVsTNQXm629Xx00jGEpD9TsZXbfNjKO" crossorigin="anonymous"></script>
-<script>
+<script nonce="{{ request.csp_nonce }}">
   $('#key-files-modal').on('show.bs.modal', function (event) {
     let button = $(event.relatedTarget);
     let content = button.data('content');
diff --git a/component_catalog/templates/component_catalog/tabs/tab_scan.html b/component_catalog/templates/component_catalog/tabs/tab_scan.html
index 0995f52d..338efa7e 100644
--- a/component_catalog/templates/component_catalog/tabs/tab_scan.html
+++ b/component_catalog/templates/component_catalog/tabs/tab_scan.html
@@ -12,7 +12,7 @@
     </div>
   </div>
   {% include 'component_catalog/includes/scan_package_modal.html' %}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.querySelector('a#submit-scan-request').addEventListener('click', function() {
       NEXB.displayOverlay("Submitting Scan Request...");
     });
@@ -30,7 +30,7 @@
   {% endif %}
   {% include 'component_catalog/modals/scan_delete_modal.html' %}
   {% include 'component_catalog/modals/scan_refresh_modal.html' %}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.querySelectorAll('.scan_delete_link').forEach(link => {
       link.addEventListener('click', function() {
         let deleteUrl = this.getAttribute('data-delete-url');
diff --git a/dejacode/settings.py b/dejacode/settings.py
index a53f1e97..8a4781e1 100644
--- a/dejacode/settings.py
+++ b/dejacode/settings.py
@@ -16,6 +16,7 @@
 import ldap
 from django_auth_ldap.config import GroupOfNamesType
 from django_auth_ldap.config import LDAPSearch
+from django.utils.csp import CSP
 
 # The home directory of the dejacode user that owns the installation.
 PROJECT_DIR = environ.Path(__file__) - 1
@@ -172,6 +173,7 @@ def gettext_noop(s):
     # read or write the response body so that compression happens afterward.
     "django.middleware.gzip.GZipMiddleware",
     "django.middleware.security.SecurityMiddleware",
+    "django.middleware.security.ContentSecurityPolicyMiddleware",  # New in Django 6.0
     "dje.middleware.ProhibitInQueryStringMiddleware",
     "django.middleware.http.ConditionalGetMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
@@ -199,6 +201,26 @@ def gettext_noop(s):
     "SECURE_CROSS_ORIGIN_OPENER_POLICY", default="same-origin"
 )
 
+# Content Security Policy (CSP) - Django 6.0
+# Initially set to Report Only to identify all required domains
+SECURE_CSP_REPORT_ONLY = True
+
+SECURE_CSP = {
+    "default-src": [CSP.SELF],
+    "script-src": [
+        CSP.SELF,
+        CSP.NONCE,  # Crucial for inline scripts in DejaCode templates
+        "https://cdnjs.cloudflare.com",  # Used for external JS libraries
+    ],
+    "style-src": [
+        CSP.SELF,
+        "https://fonts.googleapis.com",
+        "https://cdnjs.cloudflare.com",
+    ],
+    "img-src": [CSP.SELF, "data:", "https:"],
+    "connect-src": [CSP.SELF],  # Allows API calls to PurlDB/VulnerableCode
+}
+
 X_FRAME_OPTIONS = "DENY"
 # Note: The CSRF_COOKIE_HTTPONLY cannot be activated yet without breaking all
 # the AJAX (POST, PUT, etc..) requests, like the annotation system for example.
diff --git a/dje/templates/account/profile.html b/dje/templates/account/profile.html
index 50068da9..59f62a1b 100644
--- a/dje/templates/account/profile.html
+++ b/dje/templates/account/profile.html
@@ -71,7 +71,7 @@ <h5 class="modal-title">Regenerate API key</h5>
 {% endblock %}
 
 {% block javascripts %}
-<script>
+<script nonce="{{ request.csp_nonce }}">
   document.addEventListener('DOMContentLoaded', function () {
     var showApiKey = document.getElementById('show_api_key');
     var apiKeyField = document.getElementById('api_key');
diff --git a/dje/templates/admin/base_site.html b/dje/templates/admin/base_site.html
index f413d611..eea885a5 100644
--- a/dje/templates/admin/base_site.html
+++ b/dje/templates/admin/base_site.html
@@ -136,7 +136,7 @@ <h1 id="grp-admin-title">
 {% block javascripts %}
     {{ block.super }}
     {{ client_data|json_script:"client_data" }}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         NEXB = {};
         NEXB.client_data = JSON.parse(document.getElementById("client_data").textContent);
 
diff --git a/dje/templates/admin/docs/models.html b/dje/templates/admin/docs/models.html
index 4175cf99..8838c44d 100644
--- a/dje/templates/admin/docs/models.html
+++ b/dje/templates/admin/docs/models.html
@@ -67,7 +67,7 @@ <h4>Long description:</h4>
     </div>
   </div>
 
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       // Turns the menu into an accordion-like menu to avoid overflow issues
       $('#menu-content').on('show.bs.collapse', function () {
diff --git a/dje/templates/admin/includes/activity_log_dialog.html b/dje/templates/admin/includes/activity_log_dialog.html
index 6963984d..1a2c42a6 100644
--- a/dje/templates/admin/includes/activity_log_dialog.html
+++ b/dje/templates/admin/includes/activity_log_dialog.html
@@ -21,7 +21,7 @@
     </form>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
     (function($){
         $(document).ready(function(){
             $("#activity_log_dialog").dialog({
diff --git a/dje/templates/admin/includes/search_help_dialog.html b/dje/templates/admin/includes/search_help_dialog.html
index 20fdde11..4b2994c0 100644
--- a/dje/templates/admin/includes/search_help_dialog.html
+++ b/dje/templates/admin/includes/search_help_dialog.html
@@ -27,7 +27,7 @@
 </p>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
     (function($){
         $(document).ready(function(){
             $("#search_help_dialog").dialog({
diff --git a/dje/templates/admin/mass_update.html b/dje/templates/admin/mass_update.html
index e325b7c7..76bc7685 100644
--- a/dje/templates/admin/mass_update.html
+++ b/dje/templates/admin/mass_update.html
@@ -117,7 +117,7 @@ <h2>Selected records.</h2>
         })(grp.jQuery);
     </script>
 
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         (function ($) {
             $(function () {
                 $('.col_field input, .col_field select, .col_field textarea').each(function () {
diff --git a/dje/templates/admin/object_import.html b/dje/templates/admin/object_import.html
index acffb7cc..ba564a13 100644
--- a/dje/templates/admin/object_import.html
+++ b/dje/templates/admin/object_import.html
@@ -290,7 +290,7 @@ <h3>Step 1: Select your file</h3>
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       // Enable toggle for the extended help
       $('.extended_help_link').on('click', function(e) {
diff --git a/dje/templates/bootstrap_base_js.html b/dje/templates/bootstrap_base_js.html
index 491ed5fb..80d428e6 100644
--- a/dje/templates/bootstrap_base_js.html
+++ b/dje/templates/bootstrap_base_js.html
@@ -1,5 +1,5 @@
 {{ client_data|json_script:"client_data" }}
-<script>
+<script nonce="{{ request.csp_nonce }}">
   NEXB = {};
   NEXB.client_data = JSON.parse(document.getElementById("client_data").textContent);
 
diff --git a/dje/templates/global_search.html b/dje/templates/global_search.html
index 880e828e..b0f1f5ba 100644
--- a/dje/templates/global_search.html
+++ b/dje/templates/global_search.html
@@ -143,7 +143,7 @@ <h4>
     <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-5b5N+CiBiLgPGLMj4/gsf7MiPclQO0wtbtg1aUq+wogLo8D59FAoRjL/TfuKZf/t" crossorigin="anonymous"></script>
 
     {% if include_purldb %}
-        <script>
+        <script nonce="{{ request.csp_nonce }}">
         {% url 'purldb:purldb_search_table' as purldb_search_table_url %}
         document.addEventListener('DOMContentLoaded', function () {
             const purldb_section = $('#purldb_section');
diff --git a/dje/templates/hierarchy_base.js.html b/dje/templates/hierarchy_base.js.html
index c74e979f..947b1473 100644
--- a/dje/templates/hierarchy_base.js.html
+++ b/dje/templates/hierarchy_base.js.html
@@ -1,4 +1,4 @@
-<script>
+<script nonce="{{ request.csp_nonce }}">
   const tabId = "{{ tab_name|default:"tab_hierarchy" }}"
 
   function isTabActive(id) {
diff --git a/dje/templates/includes/dependencies-json-viewer.js.html b/dje/templates/includes/dependencies-json-viewer.js.html
index 68e17563..ab5487cc 100644
--- a/dje/templates/includes/dependencies-json-viewer.js.html
+++ b/dje/templates/includes/dependencies-json-viewer.js.html
@@ -1,4 +1,4 @@
-<script>
+<script nonce="{{ request.csp_nonce }}">
   document.addEventListener('DOMContentLoaded', function () {
     let dependencies_fields = $('pre.field-dependencies');
     dependencies_fields.each(function() {
diff --git a/dje/templates/includes/require_js.html b/dje/templates/includes/require_js.html
index 3798295f..58bb3cc9 100644
--- a/dje/templates/includes/require_js.html
+++ b/dje/templates/includes/require_js.html
@@ -1,5 +1,5 @@
 {% load static %}
-<script>
+<script nonce="{{ request.csp_nonce }}">
     require(['{% static 'js/requirejs_config.js' %}'], function () {
 
         {% if debug %}
diff --git a/dje/templates/object_details_base.html b/dje/templates/object_details_base.html
index bf1fd9d7..a9f6a1d2 100644
--- a/dje/templates/object_details_base.html
+++ b/dje/templates/object_details_base.html
@@ -104,7 +104,7 @@ <h1 class="header-title text-break">
 
 {% block javascripts %}
   <script src="{% static 'js/clipboard-2.0.0.min.js' %}" integrity="sha384-5tfO0soa+FisnuBhaHP2VmPXQG/JZ8dLcRL43IkJFzbsXTXT6zIX8q8sIT0VSe2G" crossorigin="anonymous"></script>
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
   document.addEventListener('DOMContentLoaded', function() {
     // Activate the tags
     const triggerTabList = document.querySelectorAll('#details_tab button');
diff --git a/dje/templates/object_form.html b/dje/templates/object_form.html
index 66cc74f0..a9633b34 100644
--- a/dje/templates/object_form.html
+++ b/dje/templates/object_form.html
@@ -47,7 +47,7 @@ <h1 class="header-title">
   {% endif %}
   {{ licenses_data_for_builder|json_script:"licenses_data_for_builder" }}
   {{ form.identifier_fields|json_script:"identifier_fields" }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       if (typeof(flatpickr) != 'undefined') $('.datepicker').flatpickr();
 
diff --git a/dje/templates/object_list_base.html b/dje/templates/object_list_base.html
index 86df3dc7..5e390900 100644
--- a/dje/templates/object_list_base.html
+++ b/dje/templates/object_list_base.html
@@ -90,7 +90,7 @@
 
 {% block javascripts %}
   <script src="{% static 'bootstrap-select-1.14.0-beta3/js/bootstrap-select.min.js' %}" integrity="sha384-9Q6WYox+EJ0woUyO2q27atOpUdbUzrABDlL6Qhpr4eDqY0CxPs8GYD4ZSJYwv4pB" crossorigin="anonymous"></script>
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
         document.addEventListener('DOMContentLoaded', () => {
             /* Tooltips on hierarchy and activity links */
             $('.h-link').tooltip({placement: 'bottom', title: 'Hierarchy view', container: 'body'});
diff --git a/dje/templates/version_grouping_script.html b/dje/templates/version_grouping_script.html
index 41f092fa..aceac09e 100644
--- a/dje/templates/version_grouping_script.html
+++ b/dje/templates/version_grouping_script.html
@@ -1,4 +1,4 @@
-<script>
+<script nonce="{{ request.csp_nonce }}">
     $('.j_expand_multiple_versions').click(function() {
         var active = $(this).data('active');
         if (active) {
diff --git a/dje/templates/widgets/autocomplete.html b/dje/templates/widgets/autocomplete.html
index 5483a210..7be76aaf 100644
--- a/dje/templates/widgets/autocomplete.html
+++ b/dje/templates/widgets/autocomplete.html
@@ -14,6 +14,6 @@
   </a>
 {% endif %}
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
   AutocompleteWidget.init("{{ field_selector }}", "#id_object_id", "#{{ object_link_id }}", "{{ display_attribute }}");
 </script>
\ No newline at end of file
diff --git a/license_library/templates/license_library/license_details.html b/license_library/templates/license_library/license_details.html
index e219dde7..ae87c6d9 100644
--- a/license_library/templates/license_library/license_details.html
+++ b/license_library/templates/license_library/license_details.html
@@ -18,7 +18,7 @@
     {% if use_annotator %}
         <script src="{% static 'js/annotator/annotator-full.1.2.10.min.js' %}" integrity="sha384-sEO2jPWk30x9NENDIYgqrh055b5T+L2LIwyjYmR7aUa2tcilfgpuZxJk+FVfGn7B" crossorigin="anonymous"></script>
         <script src="{% static 'js/annotator_plugins/TagsInSelect.js' %}" integrity="sha384-alg5wwJ8txecPoo95o+qi7GLwHYhkPVhtHp2TJeHI3eB5+GNTErrOj2sWXUM8vGj" crossorigin="anonymous"></script>
-        <script>
+        <script nonce="{{ request.csp_nonce }}">
             (function ($) {
                 $(document).ready(function () {
                     var annotator = $('#licensetext .clipboard').annotator({readOnly: true}).data('annotator');
diff --git a/license_library/templates/license_library/license_list.html b/license_library/templates/license_library/license_list.html
index b4f24cd4..052af9f0 100644
--- a/license_library/templates/license_library/license_list.html
+++ b/license_library/templates/license_library/license_list.html
@@ -15,7 +15,7 @@
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
   document.addEventListener('DOMContentLoaded', function () {
     $('span[data-category-pk]').popover({
       'placement': 'right',
diff --git a/organization/templates/organization/includes/owner_hierarchy.js.html b/organization/templates/organization/includes/owner_hierarchy.js.html
index a376c006..e7f9767e 100644
--- a/organization/templates/organization/includes/owner_hierarchy.js.html
+++ b/organization/templates/organization/includes/owner_hierarchy.js.html
@@ -1,4 +1,4 @@
-<script>
+<script nonce="{{ request.csp_nonce }}">
   function is_active_tab(id) {
     var active_tab_id = $('.tab-pane.active')[0].id;
     return (active_tab_id == id);
diff --git a/product_portfolio/templates/admin/product_portfolio/product/change_form.html b/product_portfolio/templates/admin/product_portfolio/product/change_form.html
index e0983dce..79147e31 100644
--- a/product_portfolio/templates/admin/product_portfolio/product/change_form.html
+++ b/product_portfolio/templates/admin/product_portfolio/product/change_form.html
@@ -22,7 +22,7 @@
     {% url 'admin:product_portfolio_productcomponent_changelist' as productcomponent_changelist_url %}
     {% url 'admin:product_portfolio_productpackage_changelist' as productpackage_changelist_url %}
     {% if original.is_active %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         (function($) {
             document.addEventListener('DOMContentLoaded', function () {
                 {% include 'includes/keywords_autocomplete.js.html' %}
diff --git a/product_portfolio/templates/product_portfolio/import_from_scan.html b/product_portfolio/templates/product_portfolio/import_from_scan.html
index 1f734e79..405ef912 100644
--- a/product_portfolio/templates/product_portfolio/import_from_scan.html
+++ b/product_portfolio/templates/product_portfolio/import_from_scan.html
@@ -71,7 +71,7 @@ <h5>Option 2: from ScanCode.io pipeline results</h5>
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       $('form').on('submit', function(e) {
         // Prevent from re-submitting the form by mistake
diff --git a/product_portfolio/templates/product_portfolio/import_manifests_form.html b/product_portfolio/templates/product_portfolio/import_manifests_form.html
index 59a39480..08dfca73 100644
--- a/product_portfolio/templates/product_portfolio/import_manifests_form.html
+++ b/product_portfolio/templates/product_portfolio/import_manifests_form.html
@@ -71,7 +71,7 @@ <h1 class="header-title">
 {% endblock %}
 
 {% block javascripts %}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     $(document).ready(function () {
       $('form#import-manifest-form').on('submit', function () {
         // Prevent from re-submitting the form by mistake
diff --git a/product_portfolio/templates/product_portfolio/load_sboms_form.html b/product_portfolio/templates/product_portfolio/load_sboms_form.html
index 04775e1a..61887597 100644
--- a/product_portfolio/templates/product_portfolio/load_sboms_form.html
+++ b/product_portfolio/templates/product_portfolio/load_sboms_form.html
@@ -73,7 +73,7 @@ <h1 class="header-title">
 {% endblock %}
 
 {% block javascripts %}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     $(document).ready(function () {
       $('form#import-manifest-form').on('submit', function () {
         // Prevent from re-submitting the form by mistake
diff --git a/product_portfolio/templates/product_portfolio/modals/pull_project_data_modal.html b/product_portfolio/templates/product_portfolio/modals/pull_project_data_modal.html
index 3035df7b..314fcfb2 100644
--- a/product_portfolio/templates/product_portfolio/modals/pull_project_data_modal.html
+++ b/product_portfolio/templates/product_portfolio/modals/pull_project_data_modal.html
@@ -26,7 +26,7 @@ <h5 class="modal-title">Import ScanCode.io project</h5>
   </div>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
   $(document).ready(function () {
     $('#pull-project-data-form').on('submit', function () {
       NEXB.displayOverlay("Pulling Project data...");
diff --git a/product_portfolio/templates/product_portfolio/modals/scancode_project_status_modal.html b/product_portfolio/templates/product_portfolio/modals/scancode_project_status_modal.html
index aa4c1e7f..713b2133 100644
--- a/product_portfolio/templates/product_portfolio/modals/scancode_project_status_modal.html
+++ b/product_portfolio/templates/product_portfolio/modals/scancode_project_status_modal.html
@@ -16,7 +16,7 @@ <h5 class="modal-title">Import status</h5>
   </div>
 </div>
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
 document.addEventListener('DOMContentLoaded', function () {
   $('#scancode-project-status-modal').on('show.bs.modal', function (event) {
     let modal_body = $('#scancode-project-status-modal div.modal-body')
diff --git a/product_portfolio/templates/product_portfolio/object_manage_grid.html b/product_portfolio/templates/product_portfolio/object_manage_grid.html
index 61c85f82..d57f9a29 100644
--- a/product_portfolio/templates/product_portfolio/object_manage_grid.html
+++ b/product_portfolio/templates/product_portfolio/object_manage_grid.html
@@ -174,7 +174,7 @@ <h5 class="modal-title">Create new Component</h5>
   {% endif %}
 
   {{ licenses_data_for_builder|json_script:"licenses_data_for_builder" }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       let related_verbose_name = '{{ related_verbose_name|capfirst }}';
 
diff --git a/product_portfolio/templates/product_portfolio/product_details.html b/product_portfolio/templates/product_portfolio/product_details.html
index 6f4f11cd..709fce98 100644
--- a/product_portfolio/templates/product_portfolio/product_details.html
+++ b/product_portfolio/templates/product_portfolio/product_details.html
@@ -183,7 +183,7 @@
   {% endif %}
 
   {% if display_scan_features %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       document.addEventListener("DOMContentLoaded", function () {
         document.getElementById("scan-package-modal").addEventListener("show.bs.modal", function (event) {
           let triggerButton = event.relatedTarget; // Button that triggered the modal
@@ -203,7 +203,7 @@
   {% endif %}
 
   {% if has_scan_all_packages %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       document.addEventListener("DOMContentLoaded", function () {
         document.querySelector('#scan_all_packages_submit').addEventListener('click', function() {
           NEXB.displayOverlay("Submitting Scan Request...");
@@ -215,7 +215,7 @@
   {% if has_edit_productpackage or has_edit_productcomponent or has_add_productcomponent %}
     <script src="{% static 'awesomplete/awesomplete-1.1.5.min.js' %}" integrity="sha384-p5NIw+GEWbrK/9dC3Vuxh36c2HL0ETAXQ81nk8gl1B7FHZmXehonZWs/HBqunmCI" crossorigin="anonymous"></script>
     <script src="{% static 'js/license_expression_builder.js' %}" integrity="sha384-sb1eCgSzQ43/Yt/kNTeuZ9XmmY0rfloyqPka6VPMR6ZWJsK0pTfsAnTHY7XRZUgd" crossorigin="anonymous"></script>
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       $(document).ready(function () {
         let edit_modal = $('#edit-productrelation-modal');
         edit_modal.on('show.bs.modal', function (event) {
@@ -284,7 +284,7 @@
   {% endif %}
 
   {% if request.user.dataspace.enable_vulnerablecodedb_access and product.vulnerability_count %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       $(document).ready(function () {
         let vulnerability_modal = $('#vulnerability-analysis-modal');
         vulnerability_modal.on('show.bs.modal', function (event) {
@@ -344,7 +344,7 @@
   {% endif %}
 
   {% if purldb_enabled %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       document.addEventListener('DOMContentLoaded', function () {
         document.getElementById('check-package-versions').addEventListener('click', function (event) {
           event.preventDefault();
@@ -444,7 +444,7 @@
         })
       });
     </script>
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       document.addEventListener('DOMContentLoaded', function () {
         document.querySelector('#improve_from_purldb').addEventListener('click', function() {
           NEXB.displayOverlay("Fetching data from PurlDB...");
diff --git a/product_portfolio/templates/product_portfolio/product_list.html b/product_portfolio/templates/product_portfolio/product_list.html
index 732e026a..9d9c96a6 100644
--- a/product_portfolio/templates/product_portfolio/product_list.html
+++ b/product_portfolio/templates/product_portfolio/product_list.html
@@ -12,7 +12,7 @@
 
 {% block javascripts %}
     {{ block.super }}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
     $(document).ready(function () {
         let compare_button = $('#compare_button');
         let compare_button_wrapper = compare_button.parent();
diff --git a/product_portfolio/templates/product_portfolio/product_tree_comparison.html b/product_portfolio/templates/product_portfolio/product_tree_comparison.html
index 6a59236b..12d8878d 100644
--- a/product_portfolio/templates/product_portfolio/product_tree_comparison.html
+++ b/product_portfolio/templates/product_portfolio/product_tree_comparison.html
@@ -78,7 +78,7 @@ <h1 class="header-title">
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       $("#show-only-box input:checkbox").change(function (e) {
         var class_value = "." + $(this).val();
diff --git a/product_portfolio/templates/product_portfolio/tabs/tab_codebase.html b/product_portfolio/templates/product_portfolio/tabs/tab_codebase.html
index 93aaa66e..62506629 100644
--- a/product_portfolio/templates/product_portfolio/tabs/tab_codebase.html
+++ b/product_portfolio/templates/product_portfolio/tabs/tab_codebase.html
@@ -108,7 +108,7 @@
 </table>
 {% endspaceless %}
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
    $('.toggle-details')
       .tooltip({container: 'body', placement: 'top'})
       .on('click', function() {
diff --git a/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html b/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html
index 91bf791f..bc0abac3 100644
--- a/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html
+++ b/product_portfolio/templates/product_portfolio/tabs/tab_inventory.html
@@ -282,7 +282,7 @@
 </div>
 {% endspaceless %}
 
-<script>
+<script nonce="{{ request.csp_nonce }}">
   // Select all elements with the class 'toggle-details'
   document.querySelectorAll('.toggle-details').forEach(function(toggleDetail) {
       // Add event listener for 'click' event
diff --git a/reporting/templates/admin/reporting/columntemplate/change_form.html b/reporting/templates/admin/reporting/columntemplate/change_form.html
index b5c4684a..11861b7c 100644
--- a/reporting/templates/admin/reporting/columntemplate/change_form.html
+++ b/reporting/templates/admin/reporting/columntemplate/change_form.html
@@ -5,7 +5,7 @@
 {% block javascripts %}
     {{ block.super }}
     <script src="{% static 'js/spin.js' %}" integrity="sha384-0LswTjFRsquDy/jvRaoLlf9tDAAVefA0sbg/kXz/PM9mflkwnfXlaMvYcfiumYUC" crossorigin="anonymous"></script>
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         grp.jQuery(function () {
             var spinner = new Spinner({
                 lines: 13,
diff --git a/reporting/templates/admin/reporting/inline_sortable_fix.html b/reporting/templates/admin/reporting/inline_sortable_fix.html
index 0d788af3..b36df530 100644
--- a/reporting/templates/admin/reporting/inline_sortable_fix.html
+++ b/reporting/templates/admin/reporting/inline_sortable_fix.html
@@ -2,7 +2,7 @@
 {# The tabular.html template is not used in the reporting changeform for inlines, those   #}
 {# are rendered with ember.js instead. The purpose is this code is to force to set the    #}
 {# sortable_field_name values when submitting the form #}
-<script>
+<script nonce="{{ request.csp_nonce }}">
 (function($) {
     $(document).ready(function($) {
             $("#{{ model_name }}_form").bind("submit", function(){
diff --git a/reporting/templates/admin/reporting/query/change_form.html b/reporting/templates/admin/reporting/query/change_form.html
index cb0d91c0..85a2aa2d 100644
--- a/reporting/templates/admin/reporting/query/change_form.html
+++ b/reporting/templates/admin/reporting/query/change_form.html
@@ -5,7 +5,7 @@
 {% block javascripts %}
     {{ block.super }}
     <script src="{% static 'js/spin.js' %}" integrity="sha384-0LswTjFRsquDy/jvRaoLlf9tDAAVefA0sbg/kXz/PM9mflkwnfXlaMvYcfiumYUC" crossorigin="anonymous"></script>
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         grp.jQuery(function () {
             var spinner = new Spinner({
                 lines: 13,
diff --git a/workflow/templates/admin/workflow/requesttemplate/change_form.html b/workflow/templates/admin/workflow/requesttemplate/change_form.html
index db29f3c7..76dc211a 100644
--- a/workflow/templates/admin/workflow/requesttemplate/change_form.html
+++ b/workflow/templates/admin/workflow/requesttemplate/change_form.html
@@ -6,7 +6,7 @@
     {{ block.super }}
     {% if not_editable %}
         {# Removes the "Save" and "Save and continue editing" buttons #}
-        <script>
+        <script nonce="{{ request.csp_nonce }}">
             (function($){
                 $(document).ready(function(){
                     $("input[name='_continue']").parent().remove();
@@ -16,7 +16,7 @@
         </script>
     {% endif %}
 
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
         (function($){
             function set_include_product_checkbox() {
                 var include_product = $("#id_include_product");
diff --git a/workflow/templates/workflow/request_details.html b/workflow/templates/workflow/request_details.html
index 6acfbfbf..55f99f0c 100644
--- a/workflow/templates/workflow/request_details.html
+++ b/workflow/templates/workflow/request_details.html
@@ -167,7 +167,7 @@ <h2 class="h4">{{ request_instance.request_template.name }}</h2>
   <script src="{% static 'js/scroll_to.js' %}" integrity="sha384-5b5N+CiBiLgPGLMj4/gsf7MiPclQO0wtbtg1aUq+wogLo8D59FAoRjL/TfuKZf/t" crossorigin="anonymous"></script>
   <script src="{% static 'js/jquery.dirtyforms.2.0.0.min.js' %}" integrity="sha384-xesGfeB9VUH4sEN2ROWGaWMcYi5B/NjoBb5XK6cvcuUyL6f+GI2B7kcCzbqsJcwc" crossorigin="anonymous"></script>
   <script src="{% static 'js/clipboard-2.0.0.min.js' %}" integrity="sha384-5tfO0soa+FisnuBhaHP2VmPXQG/JZ8dLcRL43IkJFzbsXTXT6zIX8q8sIT0VSe2G" crossorigin="anonymous"></script>
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       $('.delete_attachment_link').click(function() {
         var uuid = $(this).data('uuid');
diff --git a/workflow/templates/workflow/request_form.html b/workflow/templates/workflow/request_form.html
index 05b01a54..9833aaf1 100644
--- a/workflow/templates/workflow/request_form.html
+++ b/workflow/templates/workflow/request_form.html
@@ -72,7 +72,7 @@ <h2 class="h4">{{ form.request_template.name }}</h2>
 {% block javascripts %}
   {{ block.super }}
   <script src="{% static 'js/jquery.dirtyforms.2.0.0.min.js' %}" integrity="sha384-xesGfeB9VUH4sEN2ROWGaWMcYi5B/NjoBb5XK6cvcuUyL6f+GI2B7kcCzbqsJcwc" crossorigin="anonymous"></script>
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       $('#button-id-cancel').click(function(event) {
         event.preventDefault();
diff --git a/workflow/templates/workflow/request_list.html b/workflow/templates/workflow/request_list.html
index 119748e2..d8cad6d1 100644
--- a/workflow/templates/workflow/request_list.html
+++ b/workflow/templates/workflow/request_list.html
@@ -36,7 +36,7 @@
 
 {% block javascripts %}
   {{ block.super }}
-  <script>
+  <script nonce="{{ request.csp_nonce }}">
     document.addEventListener('DOMContentLoaded', function () {
       // is_private icon tooltip
       $('.help_text').tooltip({ placement: 'right'});