diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index 36b9c73bf3..bda07c06bd 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -34,20 +34,24 @@ use Illuminate\Support\Str;
 class SecureHeaders
 {
     /**
-     * Handle an incoming request. May not be a limited user (ie. Sandstorm env. or demo user).
+     * Handle an incoming request.
      *
      * @param \Illuminate\Http\Request $request
-     * @param \Closure $next
+     * @param \Closure                 $next
      *
      * @return mixed
+     * @throws \Exception
      */
     public function handle(Request $request, Closure $next)
     {
+        $nonce = base64_encode(random_bytes(16));
+        app('view')->share('JS_NONCE', $nonce);
+
         $response    = $next($request);
         $google      = '';
         $googleImg   = '';
         $analyticsId = config('firefly.analytics_id');
-        $token       = Str::random(16);
+
         if ('' !== $analyticsId) {
             $google    = 'www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js'; // @codeCoverageIgnore
             $googleImg = 'https://www.google-analytics.com/';
@@ -55,7 +59,7 @@ class SecureHeaders
         $csp = [
             "default-src 'none'",
             "object-src 'self'",
-            sprintf("script-src 'self' 'unsafe-inline' %s", $google),
+            sprintf("script-src 'nonce-%s' %s", $nonce, $google),
             "style-src 'self' 'unsafe-inline'",
             "base-uri 'self'",
             "font-src 'self' data:",
diff --git a/resources/views/v1/accounts/create.twig b/resources/views/v1/accounts/create.twig
index 08eddbf47f..8cd242fea7 100644
--- a/resources/views/v1/accounts/create.twig
+++ b/resources/views/v1/accounts/create.twig
@@ -4,7 +4,7 @@
 {% endblock %}
 {% block content %}
     <!-- set location data high up -->
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var locations = {{ locations|json_encode|raw }};
         var mapboxToken = "{{ config('firefly.mapbox_api_key') }}";
     </script>
diff --git a/resources/views/v1/accounts/edit.twig b/resources/views/v1/accounts/edit.twig
index be9bb10ac2..b8740d710c 100644
--- a/resources/views/v1/accounts/edit.twig
+++ b/resources/views/v1/accounts/edit.twig
@@ -6,7 +6,7 @@
 
 {% block content %}
     <!-- set location data high up -->
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var locations = {{ locations|json_encode|raw }};
         var mapboxToken = "{{ config('firefly.mapbox_api_key') }}";
     </script>
diff --git a/resources/views/v1/accounts/index.twig b/resources/views/v1/accounts/index.twig
index ec6088e853..c6c303eb28 100644
--- a/resources/views/v1/accounts/index.twig
+++ b/resources/views/v1/accounts/index.twig
@@ -75,7 +75,7 @@
 {% endblock %}
 
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var objectType = '{{ objectType|escape }}';
     </script>
     <script type="text/javascript" src="v1/js/lib/bootstrap-sortable.js?v={{ FF_VERSION }}"></script>
diff --git a/resources/views/v1/accounts/reconcile/edit.twig b/resources/views/v1/accounts/reconcile/edit.twig
index 6639ed11c6..65bd5578b5 100644
--- a/resources/views/v1/accounts/reconcile/edit.twig
+++ b/resources/views/v1/accounts/reconcile/edit.twig
@@ -93,7 +93,7 @@
 
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var what = "{{ what }}";
     </script>
     <script type="text/javascript" src="v1/js/lib/typeahead/typeahead.bundle.min.js?v={{ FF_VERSION }}"></script>
diff --git a/resources/views/v1/accounts/reconcile/index.twig b/resources/views/v1/accounts/reconcile/index.twig
index 7b733991cd..4ee9017e99 100644
--- a/resources/views/v1/accounts/reconcile/index.twig
+++ b/resources/views/v1/accounts/reconcile/index.twig
@@ -126,7 +126,7 @@
 {% endblock %}
 
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         currencySymbol = "{{ currency.symbol }}";
         var accountID = {{ account.id }};
         var startBalance = {{ startBalance }};
@@ -135,5 +135,5 @@
         var overviewUri = '{{ overviewUri }}';
         var indexUri = '{{ indexUri }}';
     </script>
-    <script src="v1/js/ff/accounts/reconcile.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+    <script src="v1/js/ff/accounts/reconcile.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
diff --git a/resources/views/v1/accounts/show.twig b/resources/views/v1/accounts/show.twig
index a21dda5903..4f17701d8e 100644
--- a/resources/views/v1/accounts/show.twig
+++ b/resources/views/v1/accounts/show.twig
@@ -156,7 +156,7 @@
 {% endblock %}
 
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
 
         // location stuff
         {% if location %}
diff --git a/resources/views/v1/admin/update/index.twig b/resources/views/v1/admin/update/index.twig
index bce9b38c4e..52986b238b 100644
--- a/resources/views/v1/admin/update/index.twig
+++ b/resources/views/v1/admin/update/index.twig
@@ -68,8 +68,8 @@
 
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var updateCheckUri = '{{ route('admin.update-check.manual') }}';
     </script>
-    <script type="text/javascript" src="v1/js/ff/admin/update/index.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/ff/admin/update/index.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
diff --git a/resources/views/v1/bills/index.twig b/resources/views/v1/bills/index.twig
index e50fb8950a..286d18c865 100644
--- a/resources/views/v1/bills/index.twig
+++ b/resources/views/v1/bills/index.twig
@@ -42,7 +42,7 @@
 {% endblock %}
 
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var start = '2018-01-01';
         var end = '2018-01-31';
     </script>
diff --git a/resources/views/v1/bills/show.twig b/resources/views/v1/bills/show.twig
index a78f45ec38..1aecda481c 100644
--- a/resources/views/v1/bills/show.twig
+++ b/resources/views/v1/bills/show.twig
@@ -177,7 +177,7 @@
 {% endblock %}
 
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var billCurrencySymbol = "{{ object.data.currency.symbol }}";
         var billUri = '{{ route('chart.bill.single', [object.data.id]) }}';
     </script>
diff --git a/resources/views/v1/index.twig b/resources/views/v1/index.twig
index 673f4cd63d..f75d395092 100644
--- a/resources/views/v1/index.twig
+++ b/resources/views/v1/index.twig
@@ -154,7 +154,7 @@
     </div>
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var billCount = {{ billCount }};
         var accountFrontpageUri = '{{ route('chart.account.frontpage') }}';
         var accountRevenueUri = '{{ route('chart.account.revenue') }}';
@@ -167,11 +167,11 @@
         {% endif %}
     </script>
 
-    <script type="text/javascript" src="v1/js/lib/Chart.bundle.min.js?v={{ FF_VERSION }}"></script>
-    <script type="text/javascript" src="v1/js/lib/chartjs-plugin-annotation.min.js?v={{ FF_VERSION }}"></script>
-    <script type="text/javascript" src="v1/js/ff/charts.defaults.js?v={{ FF_VERSION }}"></script>
-    <script type="text/javascript" src="v1/js/ff/charts.js?v={{ FF_VERSION }}"></script>
-    <script type="text/javascript" src="v1/js/ff/index.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/lib/Chart.bundle.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+    <script type="text/javascript" src="v1/js/lib/chartjs-plugin-annotation.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+    <script type="text/javascript" src="v1/js/ff/charts.defaults.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+    <script type="text/javascript" src="v1/js/ff/charts.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+    <script type="text/javascript" src="v1/js/ff/index.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
 {% block styles %}
 {% endblock %}
diff --git a/resources/views/v1/layout/default.twig b/resources/views/v1/layout/default.twig
index f9c816d898..07466e510b 100644
--- a/resources/views/v1/layout/default.twig
+++ b/resources/views/v1/layout/default.twig
@@ -41,13 +41,13 @@
     {# Any local custom CSS.  #}
     {% block styles %}{% endblock %}
     <!--[if lt IE 9]>
-    <script src="v1/js/lib/html5shiv.min.js?v={{ FF_VERSION }}"></script>
-    <script src="v1/js/lib/respond.min.js?v={{ FF_VERSION }}"></script>
+    <script src="v1/js/lib/html5shiv.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+    <script src="v1/js/lib/respond.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
     <![endif]-->
 
     {# this entry is in the header so it's loaded early #}
     {# SHA256: C45493A8175B10AC47EEDFC7C20AC31FAE5C804FB6C4F75468DB0F95112664BF #}
-    <script type="text/javascript">var forceDemoOff = false;</script>
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">var forceDemoOff = false;</script>
 
     {# favicons #}
     {% include('partials.favicons') %}
@@ -176,31 +176,31 @@
 {# Java libraries and stuff: #}
 
 {# Moment JS #}
-<script src="v1/js/lib/moment.min.js?v={{ FF_VERSION }}" type="text/javascript"></script>
-<script src="v1/js/ff/moment/{{ language }}.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/js/lib/moment.min.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
+<script src="v1/js/ff/moment/{{ language }}.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 
 {# All kinds of variables. #}
-<script src="{{ route('javascript.variables') }}?ext=.js&amp;v={{ FF_VERSION }}{% if account %}&amp;account={{ account.id }}{% endif %}" type="text/javascript"></script>
+<script src="{{ route('javascript.variables') }}?ext=.js&amp;v={{ FF_VERSION }}{% if account %}&amp;account={{ account.id }}{% endif %}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 
 {# big fat JS thing courtesy of Vue#}
-<script src="v1/js/{{ VUE_SCRIPT_NAME|default('app') }}.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/js/{{ VUE_SCRIPT_NAME|default('app') }}.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 
 {# date range picker, current template, etc.#}
-<script src="v1/js/lib/daterangepicker.js?v={{ FF_VERSION }}" type="text/javascript"></script>
-<script src="v1/lib/adminlte/js/adminlte.min.js?v={{ FF_VERSION }}" type="text/javascript"></script>
-<script type="text/javascript" src="v1/js/lib/accounting.min.js?v={{ FF_VERSION }}"></script>
+<script src="v1/js/lib/daterangepicker.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
+<script src="v1/lib/adminlte/js/adminlte.min.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
+<script type="text/javascript" src="v1/js/lib/accounting.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 
 {# Firefly III code#}
-<script type="text/javascript" src="v1/js/ff/firefly.js?v={{ FF_VERSION }}"></script>
-<script type="text/javascript" src="v1/js/ff/help.js?v={{ FF_VERSION }}"></script>
+<script type="text/javascript" src="v1/js/ff/firefly.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+<script type="text/javascript" src="v1/js/ff/help.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% if not shownDemo %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
         var routeForTour = "{{ current_route_name }}";
         var routeStepsUri = "{{ route('json.intro', [current_route_name, objectType|default("")]) }}";
         var routeForFinishedTour = "{{ route('json.intro.finished', [current_route_name, objectType|default("")]) }}";
     </script>
-    <script type="text/javascript" src="v1/lib/intro/intro.min.js?v={{ FF_VERSION }}"></script>
-    <script type="text/javascript" src="v1/js/ff/intro/intro.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/lib/intro/intro.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
+    <script type="text/javascript" src="v1/js/ff/intro/intro.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endif %}
 {% block scripts %}{% endblock %}
 
@@ -208,8 +208,8 @@
     <!-- Global site tag (gtag.js) - Google Analytics -->
     <!-- This tag is only here because this instance of Firefly III was purposefully configured to include it -->
     <!-- Your own installation will NOT include it -->
-    <script async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}"></script>
-    <script>
+    <script async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}" nonce="{{ JS_NONCE }}"></script>
+    <script nonce="{{ JS_NONCE }}">
         window.dataLayer = window.dataLayer || [];
         function gtag(){dataLayer.push(arguments);}
         gtag('js', new Date());