diff --git a/app/javascript/application.ts b/app/javascript/application.ts
index 66d681ab0..a93c1adad 100644
--- a/app/javascript/application.ts
+++ b/app/javascript/application.ts
@@ -1,8 +1,7 @@
 
 // Entry point for the build script in your package.json
 import Rails from '@rails/ujs'
-import $ from 'jquery'
-window.$ = $ // Just needed for selectize
+import $ from 'jquery' // Just needed for selectize
 
 import 'masonry-layout'
 
@@ -18,6 +17,7 @@ import 'src/file_size_validation'
 // Load i18n definitions
 import { I18n } from 'i18n-js'
 import locales from 'src/locales.json'
+window.$ = $
 
 Rails.start()
 
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index f290a8167..7427f615e 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -7,7 +7,7 @@
     <%= csp_meta_tag %>
     <%= favicon_link_tag "logo.png" %>
     <%= javascript_include_tag "application", nonce: true %>
-    <%= stylesheet_link_tag "application" %>
+    <%= stylesheet_link_tag "application", nonce: true %>
   </head>
 
   <body>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 9df9d1b99..7b618e452 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -2,8 +2,27 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
 
+# I'f we're using Scout DevTrace in local development, we need to allow a load
+# of inline stuff, so we need to add that and disable the nonce generation
+
+using_scout = (ENV.fetch("SCOUT_DEV_TRACE", false) === "true")
+
+scout_csp = using_scout ? [
+  :unsafe_inline, "https://apm.scoutapp.com", "https://scoutapm.com"
+] : []
+
 Rails.application.configure do
   config.content_security_policy do |policy|
+    policy.default_src :self
     policy.frame_ancestors :self
+    policy.frame_src :none
+    policy.img_src(*([:self, :data] + scout_csp))
+    policy.object_src :none
+    policy.script_src(*([:self] + scout_csp))
+    policy.style_src(*([:self] + scout_csp))
+  end
+
+  unless using_scout
+    config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
   end
 end