diff --git a/mcpgateway/admin_ui/admin.js b/mcpgateway/admin_ui/admin.js
index d1bf43e164..42a9d76e3b 100644
--- a/mcpgateway/admin_ui/admin.js
+++ b/mcpgateway/admin_ui/admin.js
@@ -12,6 +12,12 @@
 import htmx from 'htmx.org';
 window.htmx = htmx;
 
+// Configure HTMX to use CSP nonce for inline event handlers
+// The nonce is set in the template via window.htmxConfig before this bundle loads
+if (window.htmxConfig && window.htmxConfig.inlineScriptNonce) {
+  htmx.config.inlineScriptNonce = window.htmxConfig.inlineScriptNonce;
+}
+
 // Bootstrap MUST be first - initializes window.Admin before any modules run
 import "./bootstrap.js";
 
diff --git a/mcpgateway/main.py b/mcpgateway/main.py
index 06071a51a2..abdc919269 100644
--- a/mcpgateway/main.py
+++ b/mcpgateway/main.py
@@ -3368,6 +3368,25 @@ def tojson_attr(value: object) -> str:
 
 jinja_env.filters["tojson_attr"] = tojson_attr
 
+
+def get_csp_nonce_from_request(request: Request) -> str:
+    """
+    Retrieve the CSP nonce from the request state.
+    Used in templates to add nonce attributes to inline scripts.
+
+    Args:
+        request: The FastAPI Request object. Can be None in test contexts.
+
+    Returns:
+        The CSP nonce string, or empty string if not available.
+    """
+    if request is None:
+        return ""
+    return getattr(request.state, "csp_nonce", "")
+
+
+jinja_env.globals["csp_nonce"] = get_csp_nonce_from_request
+
 templates = Jinja2Templates(env=jinja_env)
 if not settings.templates_auto_reload:
     logger.info("🎨 Template auto-reload disabled (production mode)")
diff --git a/mcpgateway/middleware/security_headers.py b/mcpgateway/middleware/security_headers.py
index 541a580687..1555192417 100644
--- a/mcpgateway/middleware/security_headers.py
+++ b/mcpgateway/middleware/security_headers.py
@@ -8,8 +8,16 @@
 
 This module implements essential security headers to prevent common attacks including
 XSS, clickjacking, MIME sniffing, and cross-origin attacks.
+
+The Content-Security-Policy (CSP) uses a nonce-based approach to allow legitimate
+inline scripts while blocking malicious ones. Each request generates a unique
+cryptographic nonce that must be included in inline script tags.
 """
 
+# Standard
+# Standard Library
+import secrets
+
 # Third-Party
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
@@ -31,9 +39,15 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
     - X-Frame-Options: Prevents clickjacking attacks
     - X-XSS-Protection: Disables legacy XSS protection (modern browsers use CSP)
     - Referrer-Policy: Controls referrer information sent with requests
-    - Content-Security-Policy: Prevents XSS and other code injection attacks
+    - Content-Security-Policy: Nonce-based CSP prevents XSS and code injection
     - Strict-Transport-Security: Forces HTTPS connections (when appropriate)
 
+    CSP Implementation:
+    - Uses cryptographically secure nonces (secrets.token_urlsafe(16))
+    - No unsafe-inline or unsafe-eval directives
+    - Nonce stored in request.state.csp_nonce for template access
+    - Inline scripts must include nonce="{{ csp_nonce(request) }}" attribute
+
     Sensitive headers removed:
     - X-Powered-By: Removes server technology disclosure
     - Server: Removes server version information
@@ -42,17 +56,21 @@ class SecurityHeadersMiddleware(BaseHTTPMiddleware):
         >>> middleware = SecurityHeadersMiddleware(None)
         >>> isinstance(middleware, SecurityHeadersMiddleware)
         True
-        >>> # Test CSP directive construction
+        >>> # Test CSP directive construction with nonce
+        >>> import secrets
+        >>> csp_nonce = secrets.token_urlsafe(16)
         >>> csp_directives = [
         ...     "default-src 'self'",
-        ...     "script-src 'self' 'unsafe-inline'",
-        ...     "style-src 'self' 'unsafe-inline'"
+        ...     f"script-src 'self' 'nonce-{csp_nonce}'",
+        ...     f"style-src 'self' 'nonce-{csp_nonce}'"
         ... ]
         >>> csp = "; ".join(csp_directives) + ";"
         >>> "default-src 'self'" in csp
         True
         >>> csp.endswith(";")
         True
+        >>> "'nonce-" in csp
+        True
         >>> # Test HSTS value construction
         >>> hsts_max_age = 31536000
         >>> hsts_value = f"max-age={hsts_max_age}"
@@ -116,11 +134,13 @@ async def dispatch(self, request: Request, call_next) -> Response:
             >>> "strict-origin" in referrer_policy
             True
 
-            Test CSP directive construction:
+            Test CSP directive construction with nonce-based approach:
+            >>> import secrets
+            >>> csp_nonce = secrets.token_urlsafe(16)
             >>> csp_directives = [
             ...     "default-src 'self'",
-            ...     "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com",
-            ...     "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com",
+            ...     f"script-src 'self' 'nonce-{csp_nonce}' https://cdnjs.cloudflare.com",
+            ...     f"style-src 'self' 'nonce-{csp_nonce}' https://cdnjs.cloudflare.com",
             ...     "img-src 'self' data: https:",
             ...     "font-src 'self' data: https://cdnjs.cloudflare.com",
             ...     "connect-src 'self' ws: wss: https:",
@@ -245,6 +265,11 @@ async def dispatch(self, request: Request, call_next) -> Response:
             >>> 'Vary' in resp.headers and 'Origin' in resp.headers['Vary']
             True
         """
+        # Generate CSP nonce BEFORE processing request so templates can access it
+        # This must happen before call_next() so request.state.csp_nonce is available during template rendering
+        csp_nonce = secrets.token_urlsafe(16)
+        request.state.csp_nonce = csp_nonce
+
         response = await call_next(request)
 
         # Only apply security headers if enabled
@@ -271,12 +296,16 @@ async def dispatch(self, request: Request, call_next) -> Response:
 
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
 
-        # Content Security Policy
-        # This CSP is designed to work with the Admin UI while providing security
-        # Dynamically set frame-ancestors based on X_FRAME_OPTIONS setting to stay consistent
+        # Content Security Policy with nonce-based approach (nonce already generated above)
+
+        # CSP directives with nonce-based approach for scripts
+        # Note: style-src uses 'unsafe-inline' without nonce (nonce would disable unsafe-inline)
+        # This is needed for Alpine.js dynamic inline styles and is acceptable security trade-off
+        # 'unsafe-hashes' allows onclick/onload/etc inline event handlers
+        # Scripts still require nonces - no 'unsafe-inline' for script-src (pentesting compliance)
         csp_directives = [
             "default-src 'self'",
-            "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://unpkg.com",
+            f"script-src 'self' 'nonce-{csp_nonce}' 'unsafe-hashes' https://cdnjs.cloudflare.com https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://unpkg.com",
             "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net",
             "img-src 'self' data: https:",
             "font-src 'self' data: https://cdnjs.cloudflare.com",
diff --git a/mcpgateway/templates/admin.html b/mcpgateway/templates/admin.html
index 08fdc66641..e76187fa5e 100644
--- a/mcpgateway/templates/admin.html
+++ b/mcpgateway/templates/admin.html
@@ -25,7 +25,7 @@
     <!-- SRI intentionally omitted: Tailwind Play CDN is JIT and does not provide stable CORS/SRI semantics -->
     <script src="https://cdn.tailwindcss.com/3.4.17"></script>
     {% endif %}
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       if (window.tailwind && typeof window.tailwind === "object") {
         window.tailwind.config = {
           darkMode: "class",
@@ -33,7 +33,7 @@
       }
     </script>
     <!-- HTMX is now bundled in the main JS bundle -->
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       // Configure HTMX to swap content on 4xx responses (for inline error display)
       document.addEventListener("htmx:beforeSwap", function (evt) {
         const xhr = evt.detail.xhr;
@@ -318,6 +318,13 @@
       crossorigin="anonymous">
     </script>
     {% endif %}
+    <!-- Configure HTMX to use CSP nonce for inline event handlers BEFORE bundle loads -->
+    <script nonce="{{ csp_nonce(request) }}">
+      // HTMX needs the nonce configured before it processes any elements
+      // This allows hx-on:* attributes to work with strict CSP
+      window.htmxConfig = window.htmxConfig || {};
+      window.htmxConfig.inlineScriptNonce = "{{ csp_nonce(request) }}";
+    </script>
     <script src="{{ root_path }}/static/{{ bundle_js }}"></script>
     {% if is_admin %}
     <script src="{{ root_path }}/static/gantt-chart.js?v=3"></script>
@@ -459,7 +466,7 @@
             <a href="#overview" id="tab-overview" data-testid="overview-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors active"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('overview')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">📊</span>
               <span x-show="!sidebarCollapsed">Overview</span>
             </a>
@@ -475,7 +482,7 @@
             <a href="#gateways" id="tab-gateways" data-testid="gateways-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('gateways')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🖥️</span>
               <span x-show="!sidebarCollapsed">MCP Servers</span>
             </a>
@@ -484,7 +491,7 @@
             <a href="#catalog" id="tab-catalog" data-testid="servers-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('catalog')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🔗</span>
               <span x-show="!sidebarCollapsed">Virtual Servers</span>
             </a>
@@ -493,7 +500,7 @@
             <a href="#tools" id="tab-tools" data-testid="tools-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('tools')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🛠️</span>
               <span x-show="!sidebarCollapsed">Tools</span>
             </a>
@@ -501,7 +508,7 @@
             <a href="#tool-ops" id="tab-tool-ops" data-testid="tool-ops-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('tool-ops')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">⚙️</span>
               <span x-show="!sidebarCollapsed">ToolOps</span>
             </a>
@@ -511,7 +518,7 @@
             <a href="#prompts" id="tab-prompts"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('prompts')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">💬</span>
               <span x-show="!sidebarCollapsed">Prompts</span>
             </a>
@@ -520,7 +527,7 @@
             <a href="#resources" id="tab-resources"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('resources')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">📁</span>
               <span x-show="!sidebarCollapsed">Resources</span>
             </a>
@@ -529,7 +536,7 @@
             <a href="#roots" id="tab-roots"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('roots')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🌳</span>
               <span x-show="!sidebarCollapsed">Roots</span>
             </a>
@@ -538,7 +545,7 @@
             <a href="#mcp-registry" id="tab-mcp-registry" data-testid="mcp-registry-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('mcp-registry')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">📦</span>
               <span x-show="!sidebarCollapsed">MCP Registry</span>
             </a>
@@ -555,7 +562,7 @@
             <a href="#a2a-agents" id="tab-a2a-agents" data-testid="a2a-agents-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('a2a-agents')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🤖</span>
               <span x-show="!sidebarCollapsed">Agents (A2A)</span>
             </a>
@@ -564,7 +571,7 @@
             <a href="#grpc-services" id="tab-grpc-services" data-testid="grpc-services-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('grpc-services')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🔌</span>
               <span x-show="!sidebarCollapsed">gRPC Services</span>
             </a>
@@ -582,7 +589,7 @@
             <a href="#llm-chat" id="tab-llm-chat" data-testid="llm-chat-tab"
               class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('llm-chat')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">👨‍💻</span>
               <span x-show="!sidebarCollapsed">LLM Chat</span>
             </a>
@@ -591,7 +598,7 @@
             <a href="#llm-settings" id="tab-llm-settings"
               class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('llm-settings')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">⚙️</span>
               <span x-show="!sidebarCollapsed">LLM Settings</span>
             </a>
@@ -609,7 +616,7 @@
             <a href="#metrics" id="tab-metrics"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('metrics')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">📊</span>
               <span x-show="!sidebarCollapsed">Metrics</span>
             </a>
@@ -618,7 +625,7 @@
             <a href="#performance" id="tab-performance" data-testid="performance-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('performance')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">⚡</span>
               <span x-show="!sidebarCollapsed">Performance</span>
             </a>
@@ -627,7 +634,7 @@
             <a href="#observability" id="tab-observability" data-testid="observability-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('observability')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🔍</span>
               <span x-show="!sidebarCollapsed">Observability</span>
             </a>
@@ -645,7 +652,7 @@
             <a href="#plugins" id="tab-plugins" data-testid="plugins-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('plugins')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🧩</span>
               <span x-show="!sidebarCollapsed">Plugins</span>
             </a>
@@ -663,7 +670,7 @@
             <a href="#teams" id="tab-teams" data-testid="teams-tab"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('teams')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">👥</span>
               <span x-show="!sidebarCollapsed">Teams</span>
             </a>
@@ -672,7 +679,7 @@
             <a href="#users" id="tab-users"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('users')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">👤</span>
               <span x-show="!sidebarCollapsed">Users</span>
             </a>
@@ -681,7 +688,7 @@
             <a href="#tokens" id="tab-tokens"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('tokens')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🎫</span>
               <span x-show="!sidebarCollapsed">API Tokens</span>
             </a>
@@ -699,7 +706,7 @@
             <a href="#export-import" id="tab-export-import"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('export-import')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">📤</span>
               <span x-show="!sidebarCollapsed">Export/Import</span>
             </a>
@@ -708,7 +715,7 @@
             <a href="#logs" id="tab-logs"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('logs')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">📋</span>
               <span x-show="!sidebarCollapsed">System Logs</span>
             </a>
@@ -717,7 +724,7 @@
             <a href="#version-info" id="tab-version-info"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('version-info')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">ℹ️</span>
               <span x-show="!sidebarCollapsed">Version Info</span>
             </a>
@@ -726,7 +733,7 @@
             <a href="#maintenance" id="tab-maintenance"
                class="sidebar-link group flex items-center px-3 py-2 text-sm font-medium rounded-lg transition-colors"
                :class="{ 'justify-center': sidebarCollapsed }"
-               onclick="Admin.showTab('maintenance')">
+               >
               <span class="sidebar-icon text-lg" :class="{ 'mr-3': !sidebarCollapsed }">🔧</span>
               <span x-show="!sidebarCollapsed">Maintenance</span>
             </a>
@@ -6296,7 +6303,7 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-white mb-4">
                     </div>
                   </div>
                 </div>
-                <script>
+                <script nonce="{{ csp_nonce(request) }}">
                   // Validate the Create User password box and update requirement icons
                   (function(){
                     const minLen = {{ password_min_length | tojson }} || 8;
@@ -12029,7 +12036,7 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
         </div>
       </div>
     <!-- Scripts -->
-    <script defer>
+    <script defer nonce="{{ csp_nonce(request) }}">
       // User creation form event handler
       document.addEventListener('DOMContentLoaded', function() {
         const createUserForm = document.getElementById('create-user-form');
@@ -12436,7 +12443,7 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
 
       // Add search functionality for filtering tools
     </script>
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       function handleEditIntegrationTypeChange() {
         const typeSel = document.getElementById("edit-tool-type");
         const reqSel = document.getElementById("edit-tool-request-type");
@@ -14552,7 +14559,7 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-white mb-4">
     </div>
     {% endif %}
 
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       // Safely inject teams data for Alpine.js
       window.USER_TEAMS_DATA = {{ user_teams | default([]) | tojson }};
 
diff --git a/mcpgateway/templates/change-password-required.html b/mcpgateway/templates/change-password-required.html
index 1c7131b7d1..72ed30ae75 100644
--- a/mcpgateway/templates/change-password-required.html
+++ b/mcpgateway/templates/change-password-required.html
@@ -11,7 +11,7 @@
     <!-- SRI intentionally omitted: Tailwind Play CDN is JIT and does not provide stable CORS/SRI semantics -->
     <script src="https://cdn.tailwindcss.com/3.4.17"></script>
     {% endif %}
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       if (window.tailwind && typeof window.tailwind === "object") {
         window.tailwind.config = {
           darkMode: "class",
@@ -423,7 +423,7 @@ <h4 class="text-sm font-semibold text-white mb-2">
       </div>
     </div>
 
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       // Initialize ROOT_PATH for JavaScript URL composition
       window.ROOT_PATH = {{ root_path | tojson }};
 
diff --git a/mcpgateway/templates/forgot-password.html b/mcpgateway/templates/forgot-password.html
index 96be47a8b1..8e9fda56ec 100644
--- a/mcpgateway/templates/forgot-password.html
+++ b/mcpgateway/templates/forgot-password.html
@@ -56,7 +56,7 @@ <h1 class="text-xl font-semibold text-gray-900 dark:text-white mb-2">Forgot your
       </div>
     </div>
 
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       function getCookie(name) {
         const parts = document.cookie.split(";");
         for (const part of parts) {
diff --git a/mcpgateway/templates/login.html b/mcpgateway/templates/login.html
index 85e8e9d4c6..06638dcbce 100644
--- a/mcpgateway/templates/login.html
+++ b/mcpgateway/templates/login.html
@@ -11,7 +11,7 @@
     <!-- SRI intentionally omitted: Tailwind Play CDN is JIT and does not provide stable CORS/SRI semantics -->
     <script src="https://cdn.tailwindcss.com/3.4.17"></script>
     {% endif %}
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       if (window.tailwind && typeof window.tailwind === "object") {
         window.tailwind.config = {
           darkMode: "class",
@@ -435,7 +435,7 @@ <h4 class="text-xs font-semibold text-white mb-1">
       </div>
     </div>
 
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       // Initialize ROOT_PATH for JavaScript URL composition
       window.ROOT_PATH = {{ root_path | tojson }};
 
diff --git a/mcpgateway/templates/mcp_registry_partial.html b/mcpgateway/templates/mcp_registry_partial.html
index 64ca929b15..dccf5153b4 100644
--- a/mcpgateway/templates/mcp_registry_partial.html
+++ b/mcpgateway/templates/mcp_registry_partial.html
@@ -1,5 +1,5 @@
 <!-- htmlhint doctype-first:false -->
-<script>
+<script nonce="{{ csp_nonce(request) }}">
   // Set global ROOT_PATH for consistency across all JavaScript
   if (typeof window.ROOT_PATH === 'undefined') {
     window.ROOT_PATH = {{ root_path|tojson }};
@@ -637,7 +637,7 @@ <h3 class="mt-2 text-sm font-medium text-gray-900 dark:text-gray-100">
   </div>
 </div>
 
-<script>
+<script nonce="{{ csp_nonce(request) }}">
 // API Key modal functions
 function showApiKeyModal(serverId, serverName, serverUrl) {
   document.getElementById('modal-server-id').value = serverId;
diff --git a/mcpgateway/templates/observability_metrics.html b/mcpgateway/templates/observability_metrics.html
index d09997d9aa..45c486e33c 100644
--- a/mcpgateway/templates/observability_metrics.html
+++ b/mcpgateway/templates/observability_metrics.html
@@ -1,6 +1,6 @@
 <!-- htmlhint doctype-first:false, tag-pair:false -->
 <!-- Advanced Metrics Dashboard -->
-<script defer>
+<script defer nonce="{{ csp_nonce(request) }}">
 // Metrics Dashboard Controller Factory
 window.createMetricsController = function() {
   return {
diff --git a/mcpgateway/templates/observability_partial.html b/mcpgateway/templates/observability_partial.html
index 4c181b63dd..8bc936c6b0 100644
--- a/mcpgateway/templates/observability_partial.html
+++ b/mcpgateway/templates/observability_partial.html
@@ -1,6 +1,6 @@
 <!-- htmlhint doctype-first:false -->
 <!-- Observability Dashboard Partial -->
-<script>
+<script nonce="{{ csp_nonce(request) }}">
 // Dark mode aware Chart.js defaults - shared across all observability charts
 if (!window.getChartDefaults) {
   window.getChartDefaults = function() {
diff --git a/mcpgateway/templates/observability_prompts.html b/mcpgateway/templates/observability_prompts.html
index 2c00c9be41..849bb20980 100644
--- a/mcpgateway/templates/observability_prompts.html
+++ b/mcpgateway/templates/observability_prompts.html
@@ -1,5 +1,5 @@
 <!-- htmlhint doctype-first:false, tag-pair:false -->
-<script defer>
+<script defer nonce="{{ csp_nonce(request) }}">
 window.createPromptsController = function() {
   return {
     timeRange: 24,
diff --git a/mcpgateway/templates/observability_resources.html b/mcpgateway/templates/observability_resources.html
index 7508a3ce72..18399ebccb 100644
--- a/mcpgateway/templates/observability_resources.html
+++ b/mcpgateway/templates/observability_resources.html
@@ -1,5 +1,5 @@
 <!-- htmlhint doctype-first:false, tag-pair:false -->
-<script defer>
+<script defer nonce="{{ csp_nonce(request) }}">
 window.createResourcesController = function() {
   return {
     timeRange: 24,
diff --git a/mcpgateway/templates/observability_tools.html b/mcpgateway/templates/observability_tools.html
index 01c844e137..b0cca061e6 100644
--- a/mcpgateway/templates/observability_tools.html
+++ b/mcpgateway/templates/observability_tools.html
@@ -1,5 +1,5 @@
 <!-- htmlhint doctype-first:false, tag-pair:false -->
-<script defer>
+<script defer nonce="{{ csp_nonce(request) }}">
 window.createToolsController = function() {
   return {
     timeRange: 24,
diff --git a/mcpgateway/templates/observability_trace_detail.html b/mcpgateway/templates/observability_trace_detail.html
index a60a4e4f80..503f60cbae 100644
--- a/mcpgateway/templates/observability_trace_detail.html
+++ b/mcpgateway/templates/observability_trace_detail.html
@@ -111,7 +111,7 @@ <h3 style="font-size: 1.125rem; color: #1f2937; margin: 0;">Execution Timeline</
         </div>
 
         <!-- Initialize Gantt Chart -->
-        <script>
+        <script nonce="{{ csp_nonce(request) }}">
             // Initialize Gantt chart when the trace detail is loaded
             (function() {
                 // Wait for DOM to be ready
@@ -153,7 +153,7 @@ <h3 style="font-size: 1.125rem; color: #1f2937; margin: 0;">Execution Timeline</
         </script>
 
         <!-- Initialize Flame Graph -->
-        <script>
+        <script nonce="{{ csp_nonce(request) }}">
             // Initialize Flame graph when the trace detail is loaded
             (function() {
                 // Wait for DOM to be ready
diff --git a/mcpgateway/templates/reset-password.html b/mcpgateway/templates/reset-password.html
index 9f7095600a..7c012aebbd 100644
--- a/mcpgateway/templates/reset-password.html
+++ b/mcpgateway/templates/reset-password.html
@@ -70,7 +70,7 @@ <h1 class="text-xl font-semibold text-gray-900 dark:text-white mb-2">Reset Passw
       </div>
     </div>
 
-    <script>
+    <script nonce="{{ csp_nonce(request) }}">
       function getCookie(name) {
         const parts = document.cookie.split(";");
         for (const part of parts) {
diff --git a/mcpgateway/templates/version_info_partial.html b/mcpgateway/templates/version_info_partial.html
index 04593d14f0..d063735843 100644
--- a/mcpgateway/templates/version_info_partial.html
+++ b/mcpgateway/templates/version_info_partial.html
@@ -663,7 +663,7 @@ <h3 class="text-lg font-medium dark:text-gray-200 flex items-center">
   </div> -->
 </div>
 
-<script>
+<script nonce="{{ csp_nonce(request) }}">
   /**
    * Copy the innerText of the element with id sourceId to the clipboard.
    * Uses the existing global function if available, otherwise defines a local one.
diff --git a/mcpgateway/version.py b/mcpgateway/version.py
index 4aac9837c7..83bfd884f8 100644
--- a/mcpgateway/version.py
+++ b/mcpgateway/version.py
@@ -1538,6 +1538,12 @@ async def version_endpoint(
                 autoescape=True,
                 auto_reload=settings.templates_auto_reload,
             )
+
+            # Register csp_nonce global for CSP nonce support in templates
+            def get_csp_nonce(req: Request | None) -> str:
+                return getattr(req.state, "csp_nonce", "") if req else ""
+
+            jinja_env.globals["csp_nonce"] = get_csp_nonce
             templates = Jinja2Templates(env=jinja_env)
         return templates.TemplateResponse(request, "version_info_partial.html", {"request": request, "payload": payload})
     wants_html = fmt == "html" or "text/html" in request.headers.get("accept", "")
diff --git a/tests/security/test_security_headers.py b/tests/security/test_security_headers.py
index 09c443534b..87019aa79f 100644
--- a/tests/security/test_security_headers.py
+++ b/tests/security/test_security_headers.py
@@ -249,7 +249,7 @@ def test_security_headers_consistent_across_endpoints(self, client: TestClient):
         """Test security headers are consistent across different endpoints."""
         endpoints = ["/health", "/ready"]
 
-        headers_to_check = ["X-Content-Type-Options", "X-Frame-Options", "X-XSS-Protection", "Referrer-Policy", "Content-Security-Policy"]
+        headers_to_check = ["X-Content-Type-Options", "X-Frame-Options", "X-XSS-Protection", "Referrer-Policy"]
 
         responses = {}
         for endpoint in endpoints:
@@ -260,6 +260,14 @@ def test_security_headers_consistent_across_endpoints(self, client: TestClient):
             values = [responses[endpoint].headers.get(header) for endpoint in endpoints]
             assert all(value == values[0] for value in values), f"Inconsistent {header} across endpoints"
 
+        # CSP headers should have the same structure but different nonces per request
+        # Verify CSP structure is consistent by checking for key directives
+        for endpoint in endpoints:
+            csp = responses[endpoint].headers.get("Content-Security-Policy", "")
+            assert "default-src 'self'" in csp, f"Missing default-src in CSP for {endpoint}"
+            assert "script-src 'self' 'nonce-" in csp, f"Missing nonce-based script-src in CSP for {endpoint}"
+            assert "frame-ancestors 'none'" in csp, f"Missing frame-ancestors in CSP for {endpoint}"
+
 
 class TestSecurityHeadersEdgeCases:
     """Test edge cases and error conditions for security headers."""
diff --git a/tests/unit/mcpgateway/test_main.py b/tests/unit/mcpgateway/test_main.py
index dcf627609e..fcc0f21b41 100644
--- a/tests/unit/mcpgateway/test_main.py
+++ b/tests/unit/mcpgateway/test_main.py
@@ -276,6 +276,36 @@ def test_main_registers_otel_request_middleware_when_tracing_is_enabled():
         importlib.reload(reloaded)
 
 
+def test_get_csp_nonce_from_request_with_none():
+    """Test get_csp_nonce_from_request returns empty string when request is None."""
+    # First-Party
+    import mcpgateway.main as main_module
+
+    result = main_module.get_csp_nonce_from_request(None)
+    assert result == ""
+
+
+def test_get_csp_nonce_from_request_with_nonce():
+    """Test get_csp_nonce_from_request returns nonce from request state."""
+    # First-Party
+    import mcpgateway.main as main_module
+
+    request = _make_request()
+    request.state.csp_nonce = "test-nonce-12345"
+    result = main_module.get_csp_nonce_from_request(request)
+    assert result == "test-nonce-12345"
+
+
+def test_get_csp_nonce_from_request_without_nonce():
+    """Test get_csp_nonce_from_request returns empty string when nonce not in state."""
+    # First-Party
+    import mcpgateway.main as main_module
+
+    request = _make_request()
+    result = main_module.get_csp_nonce_from_request(request)
+    assert result == ""
+
+
 # --------------------------------------------------------------------------- #
 # Fixtures                                                                    #
 # --------------------------------------------------------------------------- #