diff --git a/app/views/layouts/hotsheet/application.html.erb b/app/views/layouts/hotsheet/application.html.erb
index 5435cb0..06be1c4 100644
--- a/app/views/layouts/hotsheet/application.html.erb
+++ b/app/views/layouts/hotsheet/application.html.erb
@@ -6,7 +6,8 @@
     <%= csp_meta_tag %>
     <%= yield :head %>
     <%= stylesheet_link_tag "hotsheet/application", media: :all %>
-    <%= javascript_include_tag "hotsheet/application", "data-turbolinks-track": "reload", type: "module" %>
+    <%= javascript_include_tag "hotsheet/application", "data-turbolinks-track": :reload,
+          type: :module, nonce: content_security_policy_nonce, defer: true %>
   </head>
   <body>
     <%= render "layouts/hotsheet/sidebar" %>
diff --git a/config/initializers/hotsheet/content_security_policy.rb b/config/initializers/hotsheet/content_security_policy.rb
new file mode 100644
index 0000000..faf1f40
--- /dev/null
+++ b/config/initializers/hotsheet/content_security_policy.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+Rails.application.configure do
+  config.content_security_policy do |csp|
+    csp.default_src :none
+    csp.connect_src :self
+    csp.img_src :self
+    csp.script_src :strict_dynamic
+    csp.style_src :self, :unsafe_inline
+  end
+
+  config.content_security_policy_nonce_directives = %w[script-src]
+  config.content_security_policy_nonce_generator = ->(_) { SecureRandom.base64 18 }
+end