diff --git a/engine/app/views/shared/_chart.erb b/engine/app/views/shared/_chart.erb
index a5424a7e8..e54e99422 100644
--- a/engine/app/views/shared/_chart.erb
+++ b/engine/app/views/shared/_chart.erb
@@ -1,6 +1,6 @@
 <div id="chart"></div>
 
-<script>
+<%= javascript_tag nonce: true do %>
   new Chartist.Line('#chart', <%== chart_data.to_json %>, {
     height: '300px',
     fullWidth: true,
@@ -49,4 +49,4 @@
     tooltipEl.style.left = (event.offsetX || event.originalEvent.layerX) + tooltipEl.offsetWidth + 10 + 'px';
     tooltipEl.style.top = (event.offsetY || event.originalEvent.layerY) + tooltipEl.offsetHeight - 20 + 'px';
   }, true);
-</script>
+<% end %>
diff --git a/spec/test_app/config/initializers/content_security_policy.rb b/spec/test_app/config/initializers/content_security_policy.rb
index 41c43016f..cf3f46374 100644
--- a/spec/test_app/config/initializers/content_security_policy.rb
+++ b/spec/test_app/config/initializers/content_security_policy.rb
@@ -26,3 +26,18 @@
 # For further information see the following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 # Rails.application.config.content_security_policy_report_only = true
+
+Rails.application.config.content_security_policy do |policy|
+  policy.default_src :none
+  policy.connect_src :self
+  policy.base_uri :none
+  policy.font_src :self, :https, :data
+  policy.img_src :self, :https, :data
+  policy.object_src :none
+  policy.script_src :self
+  policy.style_src :self
+  policy.form_action :self
+  policy.frame_ancestors :self
+end
+
+Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }