How to add CSP nonce in inline style and script injected by Vue in a laravel and vue project using Vite
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
# How to Add CSP Nonce in Inline Styles and Scripts Injected by Vue in a Laravel and Vue Project using Vite
When implementing Content Security Policy (CSP), especially with strict directives like `script-src` and `style-src`, developers often encounter issues when trying to use inline styles or scripts. The errors you are seeing—specifically the requirement for `'unsafe-inline'` or a nonce—indicate that your CSP is successfully blocking arbitrary inline content, which is a security feature.
As a senior developer working within the Laravel and Vue ecosystem using Vite, the solution lies in correctly synchronizing your server-side nonce generation with your client-side rendering process. This guide will walk you through fixing those `EvalError`s and ensuring your dynamic Vue components adhere to your CSP rules.
## Understanding the CSP Challenge
Your observation is spot on:
```
the 'unsafe-inline' keyword, a hash ('sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='), or a nonce ('nonce-...') is required to enable inline execution.
```
This message means the browser is enforcing the policy defined in your HTTP response headers (which are populated by packages like `spatie/laravel-csp`). If you inject an inline `