My WordPress site is already fronted by an AWS CloudFront distribution, and I want to tighten security by enforcing a full-scope Content Security Policy that uses per-request nonces. A base CSP header is in place today, but it’s static; I need it re-worked so every response contains a unique nonce that inline scripts and styles can reference, covering scripts, styles, images, media—essentially all content types. The approach I’d like to take is a Lambda@Edge viewer-response function that: • generates a cryptographically secure nonce on each request, • injects that nonce into the CSP header (extending my existing directives, not replacing them), and • rewrites the HTML markup on-the-fly so all inline script/style tags receive the same nonce attribute. I’ll provide the list of domains that must stay whitelisted; everything else should be locked down. Along the way, please keep the solution compatible with WordPress’ typical caching plugins and CloudFront’s caching behaviour. Deliverables I need from you: 1. Production-ready Lambda@Edge code (Node.js preferred) and deployment steps. 2. Updated CSP header reflecting my current directives plus nonce logic. 3. Clear instructions so I can maintain the whitelist and roll the function to other distributions in the future. 4. A quick validation checklist or automated test so I can confirm the policy is working across all asset types. If you’ve implemented nonce-based CSP on CloudFront before, especially with WordPress origins, I ready to talk to you.