Documentation

Content Security Policy nonce support for inline scripts in AEM Sites

Last update: Wed Dec 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

A strict Content Security Policy (CSP) mitigate security risks like cross-site scripting (XSS). In Adobe Experience Manager (AEM) Sites, using script-src 'unsafe-inline' and 'unsafe-eval' enables inline scripts but introduces vulnerabilities. This guide explains whether AEM Sites supports CSP nonces or secure alternatives for loading inline scripts without unsafe directives.

To fix this, you’ll need to refactor inline scripts and implement custom nonce handling.

Description description

Environment

Product: AEM as a Cloud Service – Sites

Issue/Symptoms

  • Inline scripts fail to load when CSP excludes 'unsafe-inline' and 'unsafe-eval'.
  • Removing these flags is flagged as a security risk but disrupts functionality.
  • A secure method like CSP nonces is needed to allow inline script execution without compromising security.

Resolution resolution

Key considerations:

  • AEM Sites doesn’t provide out-of-the-box support for CSP nonces.
  • AEM doesn’t automatically decorate its inline scripts with nonces.

  1. To enforce stricter CSP policies without unsafe directives (i.e., excluding unsafe-inline/unsafe-eval:

    • Refactor inline scripts into external JavaScript files. Refer to Configuring a CSP in Experience Platform documentation for more details.
    • Build a custom solution to generate and inject nonces if required.

  2. Test all changes to ensure page functionality isn’t disrupted.

Notes:

  • The absence of CSP does not constitute an inherent vulnerability in AEM; it serves as an additional layer of defense. See Content security policy overview in Commerce documentation.
  • Custom implementation is necessary for stricter CSP enforcement beyond what is currently supported out-of-the-box.
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f