diff --git a/app/controllers/blazer/base_controller.rb b/app/controllers/blazer/base_controller.rb
index 9d7253aae..925ddeee0 100644
--- a/app/controllers/blazer/base_controller.rb
+++ b/app/controllers/blazer/base_controller.rb
@@ -23,9 +23,7 @@ class BaseController < ApplicationController
     end
 
     if Blazer.override_csp
-      after_action do
-        response.headers['Content-Security-Policy'] = "default-src 'self' https: 'unsafe-inline' 'unsafe-eval' data: blob:"
-      end
+      after_action :override_csp
     end
 
     layout "blazer/application"
@@ -129,5 +127,22 @@ def render_errors(resource)
     def default_url_options
       {}
     end
+
+    def override_csp
+      script_nonce = content_security_policy_nonce || raise(Blazer::Error, "couldn't find nonce for script-src")
+
+      response.headers['Content-Security-Policy'] = <<~CSP.squish
+      default-src 'self';
+      base-uri 'none';
+      img-src 'self' #{Rails.configuration.asset_host} data: blob:;
+      script-src 'self' 'nonce-#{script_nonce}' 'strict-dynamic' 'unsafe-eval' https: 'report-sample';
+      style-src 'self' #{Rails.configuration.asset_host} 'unsafe-inline' 'report-sample';
+      object-src 'none';
+      connect-src 'self' #{"https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com" if Blazer.maps?};
+      child-src blob:;
+      worker-src blob: ;
+      form-action 'self';
+      CSP
+    end
   end
 end
diff --git a/app/views/blazer/_variables.html.erb b/app/views/blazer/_variables.html.erb
index a2bc8df1f..349f43115 100644
--- a/app/views/blazer/_variables.html.erb
+++ b/app/views/blazer/_variables.html.erb
@@ -1,6 +1,6 @@
 <% if @bind_vars.any? %>
   <% var_params = request.query_parameters %>
-  <script>
+  <script nonce="<%= content_security_policy_nonce %>">
     <%= blazer_js_var "timeZone", Blazer.time_zone.tzinfo.name %>
     var now = moment.tz(timeZone)
     var format = "YYYY-MM-DD"
@@ -21,7 +21,7 @@
       <%= label_tag var, var %>
       <% if (data = @smart_vars[var]) %>
         <%= select_tag var, options_for_select([[nil, nil]] + data, selected: var_params[var]), style: "margin-right: 20px; width: 200px; display: none;" %>
-        <script>
+        <script nonce="<%= content_security_policy_nonce %>">
           $("#<%= var %>").selectize({
             create: true
           });
@@ -35,7 +35,7 @@
           </div>
         </div>
 
-        <script>
+        <script nonce="<%= content_security_policy_nonce %>">
           (function() {
             var input = $("#<%= var %>")
             var datePicker = $("#<%= var %>-select")
@@ -75,7 +75,7 @@
         </div>
       </div>
 
-      <script>
+      <script nonce="<%= content_security_policy_nonce %>">
         function dateStr(daysAgo) {
           return now.clone().subtract(daysAgo || 0, "days").format(format)
         }
diff --git a/app/views/blazer/checks/_form.html.erb b/app/views/blazer/checks/_form.html.erb
index ceaf4e440..bcc0b577a 100644
--- a/app/views/blazer/checks/_form.html.erb
+++ b/app/views/blazer/checks/_form.html.erb
@@ -12,7 +12,7 @@
     <div class="hide">
       <%= f.select :query_id, [], {include_blank: true} %>
     </div>
-    <script>
+    <script nonce="<%= content_security_policy_nonce %>">
       <%= blazer_js_var "queries", Blazer::Query.active.named.order(:name).select("id, name").map { |q| {text: q.name, value: q.id} } %>
       <%= blazer_js_var "items", [@check.query_id].compact %>
 
@@ -28,7 +28,7 @@
         <% check_options << ["Anomaly (most recent data point)", "anomaly"] if Blazer.anomaly_checks %>
         <%= f.select :check_type, check_options %>
       </div>
-      <script>
+      <script nonce="<%= content_security_policy_nonce %>">
         $("#check_check_type").selectize({}).parent().removeClass("hide");
       </script>
     </div>
@@ -38,7 +38,7 @@
       <div class="hide">
         <%= f.select :invert, [["Any results (bad data)", false], ["No results (missing data)", true]] %>
       </div>
-      <script>
+      <script nonce="<%= content_security_policy_nonce %>">
         $("#check_invert").selectize({}).parent().removeClass("hide");
       </script>
     </div>
@@ -50,7 +50,7 @@
       <div class="hide">
         <%= f.select :schedule, Blazer.check_schedules.map { |v| [v, v] } %>
       </div>
-      <script>
+      <script nonce="<%= content_security_policy_nonce %>">
         $("#check_schedule").selectize({}).parent().removeClass("hide");
       </script>
     </div>
diff --git a/app/views/blazer/checks/index.html.erb b/app/views/blazer/checks/index.html.erb
index 5ce7296b8..de2ef08fc 100644
--- a/app/views/blazer/checks/index.html.erb
+++ b/app/views/blazer/checks/index.html.erb
@@ -62,7 +62,7 @@
   </tbody>
 </table>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
   $("#search").on("keyup", function() {
     var value = $(this).val().toLowerCase()
     $("#checks tbody tr").filter( function() {
diff --git a/app/views/blazer/dashboards/_form.html.erb b/app/views/blazer/dashboards/_form.html.erb
index af0d3cb2b..7451e5e75 100644
--- a/app/views/blazer/dashboards/_form.html.erb
+++ b/app/views/blazer/dashboards/_form.html.erb
@@ -30,7 +30,7 @@
   </p>
 <% end %>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
   <%= blazer_js_var "queries", Blazer::Query.active.named.order(:name).select("id, name").map { |q| {text: q.name, value: q.id} } %>
   <%= blazer_js_var "dashboardQueries", @queries || @dashboard.dashboard_queries.order(:position).map(&:query) %>
 
diff --git a/app/views/blazer/dashboards/show.html.erb b/app/views/blazer/dashboards/show.html.erb
index 30b716b93..b58ad86a2 100644
--- a/app/views/blazer/dashboards/show.html.erb
+++ b/app/views/blazer/dashboards/show.html.erb
@@ -38,7 +38,7 @@
       <p class="text-muted">Loading...</p>
     </div>
   </div>
-  <script>
+  <script nonce="<%= content_security_policy_nonce %>">
     <% data = {statement: query.statement, query_id: query.id, data_source: query.data_source, variables: variable_params(query), only_chart: true} %>
     <% data.merge!(cohort_period: params[:cohort_period]) if params[:cohort_period] %>
     <%= blazer_js_var "data", data %>
diff --git a/app/views/blazer/queries/_form.html.erb b/app/views/blazer/queries/_form.html.erb
index 5ad024c25..15aa85c6c 100644
--- a/app/views/blazer/queries/_form.html.erb
+++ b/app/views/blazer/queries/_form.html.erb
@@ -68,7 +68,7 @@
   </div>
 </div>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
   <%= blazer_js_var "variableParams", @variable_params %>
   <%= blazer_js_var "previewStatement", Blazer.data_sources.to_h { |k, v| [k, (v.preview_statement rescue "")] } %>
 
diff --git a/app/views/blazer/queries/home.html.erb b/app/views/blazer/queries/home.html.erb
index 80795fd37..0153167b2 100644
--- a/app/views/blazer/queries/home.html.erb
+++ b/app/views/blazer/queries/home.html.erb
@@ -56,7 +56,7 @@
   <p v-if="more" class="text-muted">Loading...</p>
 </div>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
   <%= blazer_js_var "dashboards", @dashboards %>
   <%= blazer_js_var "queries", @queries %>
   <%= blazer_js_var "more", @more %>
diff --git a/app/views/blazer/queries/run.html.erb b/app/views/blazer/queries/run.html.erb
index 33cba2b7f..217bfef67 100644
--- a/app/views/blazer/queries/run.html.erb
+++ b/app/views/blazer/queries/run.html.erb
@@ -75,7 +75,7 @@
     <% if Blazer.maps? && @markers.any? %>
       <% map_id = SecureRandom.hex %>
       <%= content_tag :div, nil, id: map_id, style: "height: #{@only_chart ? 300 : 500}px;" %>
-      <script>
+      <script nonce="<%= content_security_policy_nonce %>">
         <%= blazer_js_var "mapboxAccessToken", Blazer.mapbox_access_token %>
         <%= blazer_js_var "markers", @markers %>
         <%= blazer_js_var "mapId", map_id %>
@@ -84,7 +84,7 @@
     <% elsif Blazer.maps? && @geojson.any? %>
       <% map_id = SecureRandom.hex %>
       <%= content_tag :div, nil, id: map_id, style: "height: #{@only_chart ? 300 : 500}px;" %>
-      <script>
+      <script nonce="<%= content_security_policy_nonce %>">
         <%= blazer_js_var "mapboxAccessToken", Blazer.mapbox_access_token %>
         <%= blazer_js_var "geojson", @geojson %>
         <%= blazer_js_var "mapId", map_id %>
diff --git a/app/views/blazer/queries/schema.html.erb b/app/views/blazer/queries/schema.html.erb
index be3b2897f..aadd70661 100644
--- a/app/views/blazer/queries/schema.html.erb
+++ b/app/views/blazer/queries/schema.html.erb
@@ -28,7 +28,7 @@
   </table>
 <% end %>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
   $("#search").on("keyup", function() {
     var value = $(this).val().toLowerCase()
     $(".schema-table").filter(function() {
diff --git a/app/views/blazer/queries/show.html.erb b/app/views/blazer/queries/show.html.erb
index 8828ed00e..e97109337 100644
--- a/app/views/blazer/queries/show.html.erb
+++ b/app/views/blazer/queries/show.html.erb
@@ -52,7 +52,7 @@
     <p class="text-muted">Loading...</p>
   </div>
 
-  <script>
+  <script nonce="<%= content_security_policy_nonce %>">
     function showRun(data) {
       $("#results").html(data)
       $("#results table").stupidtable(stupidtableCustomSettings).stickyTableHeaders({fixedOffset: 60})
@@ -69,7 +69,7 @@
 <% end %>
 
 <% unless %w(mongodb).include?(Blazer.data_sources[@query.data_source].adapter) %>
-  <script>
+  <script nonce="<%= content_security_policy_nonce %>">
     // do not highlight really long queries
     // this can lead to performance issues
     var code = $("#code code")
diff --git a/app/views/blazer/uploads/index.html.erb b/app/views/blazer/uploads/index.html.erb
index 18dc1a2b1..690d95489 100644
--- a/app/views/blazer/uploads/index.html.erb
+++ b/app/views/blazer/uploads/index.html.erb
@@ -45,7 +45,7 @@
   </tbody>
 </table>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
   $("#search").on("keyup", function() {
     var value = $(this).val().toLowerCase()
     $("#uploads tbody tr").filter( function() {
diff --git a/app/views/layouts/blazer/application.html.erb b/app/views/layouts/blazer/application.html.erb
index b8a87f70e..93f71cf07 100644
--- a/app/views/layouts/blazer/application.html.erb
+++ b/app/views/layouts/blazer/application.html.erb
@@ -7,14 +7,14 @@
     <%= favicon_link_tag "blazer/favicon.png" %>
     <% if defined?(Propshaft::Railtie) %>
       <%= stylesheet_link_tag "blazer/bootstrap-propshaft", "blazer/bootstrap", "blazer/selectize", "blazer/github", "blazer/daterangepicker", "blazer/application" %>
-      <%= javascript_include_tag "blazer/jquery", "blazer/rails-ujs", "blazer/stupidtable", "blazer/stupidtable-custom-settings", "blazer/jquery.stickytableheaders", "blazer/selectize", "blazer/highlight.min", "blazer/moment", "blazer/moment-timezone-with-data", "blazer/daterangepicker", "blazer/chart.umd", "blazer/chartjs-adapter-date-fns.bundle", "blazer/chartkick", "blazer/mapkick.bundle", "blazer/ace/ace", "blazer/ace/ext-language_tools", "blazer/ace/theme-twilight", "blazer/ace/mode-sql", "blazer/ace/snippets/text", "blazer/ace/snippets/sql", "blazer/Sortable", "blazer/bootstrap", "blazer/vue.global.prod", "blazer/routes", "blazer/queries", "blazer/fuzzysearch", "blazer/application" %>
+      <%= javascript_include_tag "blazer/jquery", "blazer/rails-ujs", "blazer/stupidtable", "blazer/stupidtable-custom-settings", "blazer/jquery.stickytableheaders", "blazer/selectize", "blazer/highlight.min", "blazer/moment", "blazer/moment-timezone-with-data", "blazer/daterangepicker", "blazer/chart.umd", "blazer/chartjs-adapter-date-fns.bundle", "blazer/chartkick", "blazer/mapkick.bundle", "blazer/ace/ace", "blazer/ace/ext-language_tools", "blazer/ace/theme-twilight", "blazer/ace/mode-sql", "blazer/ace/snippets/text", "blazer/ace/snippets/sql", "blazer/Sortable", "blazer/bootstrap", "blazer/vue.global.prod", "blazer/routes", "blazer/queries", "blazer/fuzzysearch", "blazer/application", nonce: true %>
     <% else %>
       <%= stylesheet_link_tag "blazer/application" %>
-      <%= javascript_include_tag "blazer/application" %>
+      <%= javascript_include_tag "blazer/application", nonce: true %>
     <% end %>
-    <script>
+    <%= javascript_tag nonce: true do %>
       <%= blazer_js_var "rootPath", root_path %>
-    </script>
+    <% end %>
     <%= csrf_meta_tags %>
   </head>
   <body>