angular · tomeustace · Mar 26, 2022
diff --git a/aio/content/guide/security.md b/aio/content/guide/security.md
@@ -201,6 +201,7 @@ To enforce Trusted Types for your application, you must configure your applicati
 | `angular`               | This policy is used in security-reviewed code that is internal to Angular, and is required for Angular to function when Trusted Types are enforced. Any inline template values or content sanitized by Angular is treated as safe by this policy.                           |
 | `angular#unsafe-bypass` | This policy is used for applications that use any of the methods in Angular's [DomSanitizer](api/platform-browser/DomSanitizer) that bypass security, such as `bypassSecurityTrustHtml`. Any application that uses these methods must enable this policy.                   |
 | `angular#unsafe-jit`    | This policy is used by the [JIT compiler](api/core/Compiler). You must enable this policy if your application interacts directly with the JIT compiler or is running in JIT mode using the [platform browser dynamic](api/platform-browser-dynamic/platformBrowserDynamic). |
+| `angular#bundler`       | This policy is used by Angular CLI's bundler when creating lazy chunk files.                    |
 
 You should configure the HTTP headers for Trusted Types in the following locations:
 
@@ -232,6 +233,12 @@ Content-Security-Policy: trusted-types angular angular#unsafe-jit; require-trust
 
 </code-example>
 
+The following is an example of a header specifically configured for Trusted Types and Angular applications that use lazy loading of modules:
+
+<code-example language="html">
+Content-Security-Policy: trusted-types angular angular#bundler; require-trusted-types-for 'script';
+</code-example>
+
 <div class="callout is-helpful">
 
 <header>Community contributions</header>