fix failing playwright tests

Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>

Author: Bogdan-Marius-Catanus

mcpgateway/middleware/security_headers.py

@@ -265,6 +265,11 @@ async def dispatch(self, request: Request, call_next) -> Response:
             >>> 'Vary' in resp.headers and 'Origin' in resp.headers['Vary']
             True
         """
+        # Generate CSP nonce BEFORE processing request so templates can access it
+        # This must happen before call_next() so request.state.csp_nonce is available during template rendering
+        csp_nonce = secrets.token_urlsafe(16)
+        request.state.csp_nonce = csp_nonce
+
         response = await call_next(request)
 
         # Only apply security headers if enabled
@@ -291,10 +296,7 @@ async def dispatch(self, request: Request, call_next) -> Response:
 
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
 
-        # Content Security Policy with nonce-based approach
-        # Generate a cryptographically secure nonce for this request
-        csp_nonce = secrets.token_urlsafe(16)
-        request.state.csp_nonce = csp_nonce
+        # Content Security Policy with nonce-based approach (nonce already generated above)
 
         # CSP directives with nonce-based approach for scripts
         # Note: style-src uses 'unsafe-inline' without nonce (nonce would disable unsafe-inline)