diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 2ea08e904..f958aead7 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -34,14 +34,16 @@
<% else %>
<%= javascript_include_tag 'requests/application' %>
<% end %>
-
+ <%= javascript_tag nonce: true do -%>
+ window.Global = {"graphql":<%= Global.graphql.to_json.html_safe %>,"figgy":<%= Global.figgy.to_json.html_safe %>}
+ <% end %>
<% unless controller.controller_name == "request" %>
<%= vite_javascript_tag 'application' %>
<% end %>
<% unless controller.controller_name == "catalog" && controller.action_name == "show" && @document.alma_record? %>
<%= javascript_include_tag "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.2/MathJax.js?config=TeX-MML-AM_CHTML", async: true %>
<% end %>
- <%= javascript_include_tag "https://www.google.com/books/jsapi.js" %>
+ <%= javascript_include_tag "https://www.google.com/books/jsapi.js", nonce: true %>
<%= csrf_meta_tags %>
<%= content_for(:head) %>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
new file mode 100644
index 000000000..494213ac8
--- /dev/null
+++ b/config/initializers/content_security_policy.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+Rails.application.config.content_security_policy_report_only = true
+# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+
+Rails.application.config.content_security_policy do |policy|
+ policy.default_src :self, :https
+ policy.font_src :self, :https, :data
+ policy.img_src :self, :https, :data
+ policy.object_src :none
+ policy.script_src :self, :https
+
+ # TODO: Upgrade MathJax to the latest version, using yarn/npm rather than the CDN
+ policy.style_src :self, "'unsafe-inline'"
+ # policy.style_src :self, :https
+ # policy.report_uri -> { "https://api.honeybadger.io/v1/browser/csp?api_key=#{ENV['HONEYBADGER_API_KEY']}&report_only=true&env=#{Rails.env}&context[user_id]=#{respond_to?(:current_user) ? current_user&.id : nil}" }
+end