Update.

src/snek/app.py

@@ -28,7 +28,7 @@ from snek.service import get_services
 from snek.system import http
 from snek.system.cache import Cache
 from snek.system.markdown import MarkdownExtension
-from snek.system.middleware import auth_middleware, cors_middleware
+from snek.system.middleware import auth_middleware, cors_middleware, csp_middleware
 from snek.system.profiler import profiler_handler
 from snek.system.template import EmojiExtension, LinkifyExtension, PythonExtension
 from snek.view.about import AboutHTMLView, AboutMDView
@@ -111,7 +111,8 @@ class Application(BaseApplication):
         middlewares = [
             cors_middleware,
             web.normalize_path_middleware(merge_slashes=True),
-            ip2location_middleware
+            ip2location_middleware,
+            csp_middleware
         ]
         self.template_path = pathlib.Path(__file__).parent.joinpath("templates")
         self.static_path = pathlib.Path(__file__).parent.joinpath("static")

src/snek/system/middleware.py

@@ -7,7 +7,19 @@
 # MIT License: This code is distributed under the MIT License.
 
 from aiohttp import web
+import secrets
 
+def generate_nonce():
+    return secrets.token_hex(16)
+
+@web.middleware
+async def csp_middleware(app, handler):
+    async def middleware(request):
+        response = await handler(request)
+        nonce = generate_nonce()
+        response.headers['Content-Security-Policy'] = csp_policy.format(nonce=nonce)
+        return response
+    return middleware
 
 @web.middleware
 async def no_cors_middleware(request, handler):