diff --git a/web/app/layout.tsx b/web/app/layout.tsx
index 1ec9217296..8bb2069aaf 100644
--- a/web/app/layout.tsx
+++ b/web/app/layout.tsx
@@ -5,9 +5,11 @@ import { Provider as JotaiProvider } from 'jotai/react'
 import { ThemeProvider } from 'next-themes'
 import { NuqsAdapter } from 'nuqs/adapters/next/app'
 import AmplitudeProvider from '@/app/components/base/amplitude'
+import { IS_PROD } from '@/config'
 import { TanstackQueryInitializer } from '@/context/query-client'
 import { getDatasetMap } from '@/env'
 import { getLocaleOnServer } from '@/i18n-config/server'
+import { headers } from '@/next/headers'
 import PartnerStackCookieRecorder from './components/billing/partner-stack/cookie-recorder'
 import CreateAppAttributionBootstrap from './components/create-app-attribution-bootstrap'
 import { AgentationLoader } from './components/devtools/agentation-loader'
@@ -32,6 +34,7 @@ const LocaleLayout = async ({
 }) => {
   const locale = await getLocaleOnServer()
   const datasetMap = getDatasetMap()
+  const nonce = IS_PROD ? (await headers()).get('x-nonce') ?? undefined : undefined
 
   return (
     <html lang={locale ?? 'en'} className="h-full" suppressHydrationWarning>
@@ -64,6 +67,7 @@ const LocaleLayout = async ({
               defaultTheme="system"
               enableSystem
               disableTransitionOnChange
+              nonce={nonce}
             >
               <NuqsAdapter>
                 <TanstackQueryInitializer>
diff --git a/web/proxy.ts b/web/proxy.ts
index 983713fd0e..d735c9f568 100644
--- a/web/proxy.ts
+++ b/web/proxy.ts
@@ -18,15 +18,16 @@ const wrapResponseWithXFrameOptions = (response: NextResponse, pathname: string)
 export function proxy(request: NextRequest) {
   const { pathname } = request.nextUrl
   const requestHeaders = new Headers(request.headers)
-  const response = NextResponse.next({
-    request: {
-      headers: requestHeaders,
-    },
-  })
 
   const isWhiteListEnabled = !!env.NEXT_PUBLIC_CSP_WHITELIST && process.env.NODE_ENV === 'production'
-  if (!isWhiteListEnabled)
+  if (!isWhiteListEnabled) {
+    const response = NextResponse.next({
+      request: {
+        headers: requestHeaders,
+      },
+    })
     return wrapResponseWithXFrameOptions(response, pathname)
+  }
 
   const whiteList = `${env.NEXT_PUBLIC_CSP_WHITELIST} ${NECESSARY_DOMAIN}`
   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
@@ -60,6 +61,12 @@ export function proxy(request: NextRequest) {
     contentSecurityPolicyHeaderValue,
   )
 
+  const response = NextResponse.next({
+    request: {
+      headers: requestHeaders,
+    },
+  })
+
   response.headers.set(
     'Content-Security-Policy',
     contentSecurityPolicyHeaderValue,