
What started as a simple security hardening task on a Next.js 16 marketing site turned into a lesson...
What started as a simple security hardening task on a Next.js 16 marketing site turned into a lesson about how App Router, SSG, PPR, and CSP actually interact.
Most developers assume:
Static Site Generation (SSG) + CSP = Easy
That was my assumption too. But there's a catch.
Next.js App Router injects multiple inline scripts into prerendered pages:
<script>
self.__next_f.push(...)
</script>
These scripts are essential for React Server Components (RSC) hydration and streaming.
The problem? A strict CSP like:
script-src 'self'
blocks them.
My first thought was: "No problem, I'll use nonce-based CSP."
But nonces are generated per request, while SSG and PPR pages are generated at build time. Which means:
No request = No nonce
So nonce-based CSP and prerendered HTML are fundamentally at odds.
And here's the interesting part: this isn't really a PPR problem. It's a prerendered HTML problem. Whether you're using SSG, ISR, or PPR, the challenge is the same — the HTML already exists before the request arrives, so there's no opportunity to inject a request-specific nonce.
The next idea seemed obvious: "If Next.js supports Subresource Integrity (SRI), doesn't that solve the problem?"
After enabling SRI, external scripts looked like this:
<script
src="/_next/static/chunks/..."
integrity="sha256-..."
></script>
Great. But then we inspected the generated HTML. The external scripts were protected — the inline scripts were still there:
<script>
self.__next_f.push(...)
</script>
And that's when the distinction became clear:
They solve different problems. SRI helped protect the external bundles, but it did not solve the CSP challenge around Next.js' inline RSC scripts.
After auditing the site, we found:
script-src length: 503 charactersThat last point matters: 161 SHA-256 hashes obviously can't fit in 503 characters. We generate a per-route CSP header, so each page's script-src only contains the hashes for the inline scripts that page actually serves. The 161 figure is the global total across all routes.
At first I assumed hash-based CSP would become unmanageable. The data said otherwise. Because every page is statically generated, every inline script is deterministic at build time. Which means we can:
script-srcThere are tradeoffs:
For scale intuition:
10 pages → Probably insignificant
100 pages → Usually manageable
1000+ pages → Worth measuring
To be precise, the challenge isn't really the number of pages — it's the number of unique inline scripts.
You could have:
1000 pages → same scripts reused everywhere → small CSP header
Or:
100 pages → unique inline scripts per page → large CSP header
At some point, you're not just solving a security problem anymore. You're managing CSP infrastructure.
The solution wasn't "use nonces." It wasn't "use SRI." And it definitely wasn't "hash everything."
The real lesson was understanding the constraints imposed by the rendering model. The common discussion is often framed as:
❌ PPR vs CSP
When the real discussion is:
✅ Nonce-based CSP vs Prerendered HTML
Once I started looking at it through that lens, the tradeoffs became much clearer. Different applications will likely arrive at different answers:
There isn't a universal solution. Only tradeoffs.
And that's what made this investigation far more interesting than I expected.
Curious how others are handling CSP with Next.js App Router, SSG, or PPR in production — drop a comment.
aiMost of us have seen a coding agent fail to complete a task we know it can do. We just don't...
googlecloudWhen building Generative AI applications, developers often encounter a massive bottleneck: sequential...
discussI’ve been thinking about sharing some electronic circuit posts on Dev.to — small circuits, DIY...
agentsWhat nobody tells you about exporting your multi-agent prototype to a local workspace. Every...
agenticarchitectAutonomous agents are genuinely good at answering messy business questions. Give one an LLM and a set...
aiPR volume went up, ticket quality didn't, and the gap got filled with LLMs on both sides of the review: bots reviewing, bots replying, bots occasionally arguing with bots about priorities that only existed in a teammate's head. Our CEO named the actual problem, and it's bigger than code review.
Workflows from the Neura Market marketplace related to this Stable Diffusion resource