Link to the code that reproduces this issue

Live reproduction: https://tracking.legacyinsights.com.br/login (public route, no auth required to view SSR HTML).

Minimal config excerpt from the repository (middleware proxy.ts):

// src/proxy.ts
export async function proxy(request: NextRequest) {
  const nonce = generateNonce(); // 16 random bytes, base64
  const csp = buildCsp(nonce);   // uses `'nonce-${nonce}' 'strict-dynamic'`

  const requestHeaders = new Headers(request.headers);
  requestHeaders.set('x-nonce', nonce);
  requestHeaders.set('content-security-policy', csp);

  // updateSession calls NextResponse.next({ request: { headers: requestHeaders } })
  const res = await updateSession(request, requestHeaders);

  res.headers.set('Content-Security-Policy', csp);
  return res;
}

Layout (Server Component) confirms the nonce is visible to SSR:

// src/app/layout.tsx
const h = await headers();
const nonce = h.get('x-nonce') ?? undefined;
return (
  <html>
    <head>
      {nonce && <meta name="csp-nonce" content={nonce} />}
    </head>
    <body>...</body>
  </html>
);

To Reproduce

1. Generate a per-request nonce in a Next.js 16 middleware (src/proxy.ts, matching Next's official CSP docs).
2. Forward the nonce via x-nonce on the request headers passed to NextResponse.next({ request: { headers } }).
3. Additionally set the Content-Security-Policy request header to the same CSP used on the response, so Next's get-script-nonce-from-header.js can parse it.
4. Build the app for production with Turbopack (next build, default in 16.x).
5. Deploy and curl the SSR HTML of any page.

Current vs. Expected behavior

Current:

The root-layout-emitted <meta name="csp-nonce" content="…"> contains the nonce — propagation through headers() works end-to-end. But every framework-emitted <script src="/_next/static/chunks/*.js" async> tag lacks a nonce attribute.

$ curl -s https://tracking.legacyinsights.com.br/login -D /tmp/h.out -o /tmp/b.out
$ grep -i 'content-security-policy\|x-nonce' /tmp/h.out
content-security-policy: default-src 'self'; script-src 'self' 'nonce-HSfIoYELmjgrOVsBDpqPUg==' 'strict-dynamic' …

$ grep -oE '<meta[^>]*csp-nonce[^>]*>' /tmp/b.out
<meta name="csp-nonce" content="HSfIoYELmjgrOVsBDpqPUg=="/>

$ grep -cE '<script[^>]*nonce=' /tmp/b.out
0

$ grep -oE '<script[^>]{0,120}>' /tmp/b.out | head -5
<script src="/_next/static/chunks/0i6wetj06smyh.js" async="">
<script src="/_next/static/chunks/15vqu5znybt9f.js" async="">
<script src="/_next/static/chunks/14l~.r2kq13je.js" async="">
<script src="/_next/static/chunks/128aahewwf1we.js" async="">
<script src="/_next/static/chunks/turbopack-0n2.452-9mjc~.js" async="">

28 <script> tags on the page, 0 with a nonce attribute. With script-src 'nonce-…' 'strict-dynamic' the browser refuses every chunk and the page loads blank.

Expected:

All framework-emitted <script> tags include nonce="HSfIoYELmjgrOVsBDpqPUg==" so the CSP's strict-dynamic + nonce allowlist admits them. This matches the contract documented in the CSP guide.

Likely location

packages/next/src/server/app-render/required-scripts.ts (shipped as node_modules/next/dist/server/app-render/required-scripts.js in 16.2.4):

function getRequiredScripts(buildManifest, assetPrefix, crossOrigin, SRIManifest, qs, nonce, pagePath) {
  // ...
  const bootstrapScript = {
    src: '',
    crossOrigin,                //  <-- no `nonce` field here
  };
  // ...
  preinitScripts = () => {
    for (let i = 0; i < preinitScriptCommands.length; i++) {
      ReactDOM.preinit(preinitScriptCommands[i], {
        as: 'script',
        nonce,                  // <-- preinit gets the nonce
        crossOrigin,
      });
    }
  };
  return [preinitScripts, bootstrapScript];
}

bootstrapScript is later passed as bootstrapScripts: [bootstrapScript] into React's renderToReadableStream, but the object never receives the nonce parameter that getRequiredScripts accepts. React's bootstrap script serializer therefore emits the tag without a nonce attribute.

The dev-mode variant of this bug was fixed in #65508 (closed #64037, May 2024), but the production SSR path in 16.x still exhibits it. A follow-up comment on #64037 from the original reporter already flagged a separate site that was still un-nonced.

Provide environment information

Operating System:
  Platform: linux (production container), darwin (local build)
Binaries:
  Node: 24.x
Relevant Packages:
  next: 16.2.4 (reproduces on 16.1.4 too — not a 16.2 regression)
  react: 19.x
  react-dom: 19.x
Next.js Config:
  output: standalone
  bundler: turbopack (default on 16.x)

Which area(s) are affected?

Turbopack, SSR, CSP

Which stage(s) are affected?

next build + next start (production).

Additional context

Workaround currently in use: fall back to script-src 'self' 'unsafe-inline' https: (no strict-dynamic). Page loads but loses the hardening benefit of nonce-based CSP. The runway for flipping back to strict-dynamic is kept in place (request-side x-nonce, <meta> emission, CSP request header set per Next docs) so the fix is a one-line flip once the bootstrap tag starts receiving the nonce.