How to configure Laravel Pulse to work with CSP (Content-Security-Policy)?

[rizkywahyuprasetiyo]

I'm using Laravel Pulse to monitor active users and requests in production.

However, since I implemented a Content-Security-Policy (CSP) header with a nonce, Pulse's inline scripts are blocked. Livewire (used by Pulse) injects inline scripts without a way to customize nonce values.

Example error:

Refused to execute inline script because it violates the following Content Security Policy directive...

I've considered:

• Whitelisting 'unsafe-inline' (not secure)
• Adding per-route CSP exceptions (e.g., for /pulse)
• Disabling CSP for Pulse route only

My questions:

• Is there a recommended way to make Pulse CSP-compliant?
• Will future versions allow us to inject our nonce into Pulse scripts?
• Is there a Livewire-safe workaround?

Any help or recommendation is appreciated.