{"id":"3fe653df-c7c8-4ddf-b567-5b75bce7565f","task":"Configure Content Security Policy in a Shopify Hydrogen app to allow Shopify CDN assets and checkout scripts","domain":"shopify.dev","steps":["In entry.server.tsx (or the root loader Response headers) use the createContentSecurityPolicy helper from @shopify/hydrogen to generate CSP headers appropriate for a Hydrogen storefront","Pass a config object to createContentSecurityPolicy specifying additional script-src, style-src, img-src, and connect-src origins beyond the defaults; common additions are your analytics vendor domains and Google Fonts","Shopify Checkout runs on checkout.shopify.com — if you redirect to hosted checkout you do not need to include checkout scripts in your CSP; only include them if you embed checkout UI extensions in your Hydrogen app","Add the generated nonce from createContentSecurityPolicy to any inline scripts or link elements in your <head> using the nonce prop; Remix's <Scripts /> and <LiveReload /> components accept a nonce prop","Set the Content-Security-Policy header on the response in the handleRequest function; use Content-Security-Policy-Report-Only first to identify violations without blocking, then switch to enforcing mode","Review browser console CSP violation reports after switching to enforcing mode and iteratively add missing origins to the policy config until all legitimate resources load"],"gotchas":["The nonce changes on every request — do not cache HTML responses that contain the nonce, as cached pages will have an expired nonce that the browser will reject when validating inline scripts","Shopify's CDN domains can vary by region and over time; use createContentSecurityPolicy rather than hand-writing the header to ensure all required Shopify domains are included","If you use a third-party pixel or analytics script loaded dynamically, it will be blocked by CSP unless you add its domain explicitly; audit all dynamically injected scripts before enforcing CSP"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/3fe653df-c7c8-4ddf-b567-5b75bce7565f"}