Merge pull request #7314 from kenjis/add-note-for-CSP-and-DebugBar

kenjis · web-flow · commit 73d748de8b4d · 2023-03-02T09:33:03.000+09:00
docs: add note for CSP and Debug Toolbar
diff --git a/user_guide_src/source/outgoing/response.rst b/user_guide_src/source/outgoing/response.rst
@@ -140,6 +140,13 @@ visit the following sites:
 Turning CSP On
 --------------
 
+.. important:: The :ref:`Debug Toolbar <the-debug-toolbar>` may use Kint, which
+    outputs inline scripts. Therefore, when CSP is turned on, CSP nonce is
+    automatically output for the Debug Toolbar. However, if you are not using
+    CSP nonce, this will change the CSP header to something you do not intend,
+    and it will behave differently than in production; if you want to verify CSP
+    behavior, turn off the Debug Toolbar.
+
 By default, support for this is off. To enable support in your application, edit the ``CSPEnabled`` value in
 **app/Config/App.php**:
 
