Backpack Issues Using CSP

[trematoda]

I'm adding CSP (Content Security Policy) functionality to one of our apps using the Spatie Laravel CSP package and I'm seeing issues in the Backpack views.

Many of the CRUD and Pro blade templates contain javascript inside <script> tags and those are causing CSP violations. I could either publish all the relevant views and add the @cspNonce directive (a monumental task) or I could just use unsafe-inline, which would negate the point of using CSP.

Has anyone else run into this issue? Am I missing something?

[backpack-ai-bot[bot]]

Short answer: Backpack’s views do include inline scripts in various CRUD and Base templates, so a strict CSP that forbids inline JS will trigger violations. The knowledge sources don’t document CSP support or a built‑in way to inject nonces into Backpack’s shipped views. I’m sorry, but there’s no information about an official CSP-friendly mode or guidance for adding nonces to all Backpack inline scripts.

What you can do based on the sources:

• Many scripts and styles are loaded as external assets via config/backpack/base.php; you can move custom JS/CSS there to avoid inline code on your side. However, Backpack core views still include inline snippets (e.g., operation-specific JS files and per-view logic), and there’s no documented nonce integration in these templates (“app.js not used; add scripts via config/backpack/base.php”).
• Backpack historically balances CDN/local assets and publish/update flows, but none of those threads mention CSP or nonces in views (offline/asset loading discussions, asset publishing strategies).

Given that, your two options are the ones you already identified:

• Overwrite the affected Backpack blade files under resources/views/vendor/backpack/... and add @cspNonce to the script tags (but this is indeed substantial work). The docs confirm view overriding per-file or per-CRUD is the supported way to change templates (customize views for a CRUD).
• Relax CSP (e.g., unsafe-inline), which undermines CSP benefits.

If you need strict CSP without unsafe-inline, the only path suggested by the available sources is to override the necessary Backpack views and add nonces yourself. The knowledge sources do not explicitly mention any built-in nonce support or a global hook to apply nonces across all Backpack inline scripts.

ℹ️ Please note our AI Bot does not reply to follow-ups, this will be the only AI answer in this thread. If the AI helped you find the answer, please mark it as answered or write details below so it can learn. Then close the conversation. If not, please give more information for when a human reads this. ℹ️

Relevant sources:

Github Issue (closed): [4.0][Feature][Proposal] Remove dependency on CDNs - make Backpack work offline
Github Issue (closed): [4.0.x][Bug] Crud views are broken (Laravel 6.2)
Github Issue (closed): Cleaning up the HTML
Github Issue (closed): [4.0][Feature req] No longer publish CSS & JS assets
Github Issue (closed): Laravel app.js not affected when using backpack
Github Issue (closed): Add Backpack CRUD stylesheet
Github Issue (closed): [Bug] Loading CSS or JS file for a particular Operation stopped working
Github Issue (closed): Remove CSS & JS from Composer package
Github Issue (closed): [Bug] Cannot update data model after 4.1.44 update
Github Issue (closed): crud.js, form.js, create.js not showing in the page
Github Issue (closed): Cross-site scripting vulnerability
FAQs for CRUDs|Views