diff --git a/nosecone-next/index.ts b/nosecone-next/index.ts
index 40d4d2dc1..31cc6b8a2 100644
--- a/nosecone-next/index.ts
+++ b/nosecone-next/index.ts
@@ -8,15 +8,13 @@ export const defaults = {
   contentSecurityPolicy: {
     directives: {
       ...baseDefaults.contentSecurityPolicy.directives,
-      scriptSrc:
-        // Replace the defaults to remove `'self'`
-        process.env.NODE_ENV === "development"
-          ? // Next.js hot reloading relies on `eval` so we enable it in development
-            ([nonce, "'unsafe-eval'"] as const)
-          : ([nonce] as const),
+      scriptSrc: [
+        ...baseDefaults.contentSecurityPolicy.directives.scriptSrc,
+        ...nextScriptSrc(),
+      ],
       styleSrc: [
         ...baseDefaults.contentSecurityPolicy.directives.styleSrc,
-        "'unsafe-inline'",
+        ...nextStyleSrc(),
       ],
     },
   },
@@ -29,6 +27,17 @@ function nonce() {
   return `'nonce-${btoa(crypto.randomUUID())}'` as const;
 }
 
+function nextScriptSrc() {
+  return process.env.NODE_ENV === "development"
+    ? // Next.js hot reloading relies on `eval` so we enable it in development
+      ([nonce, "'unsafe-eval'"] as const)
+    : ([nonce] as const);
+}
+
+function nextStyleSrc() {
+  return ["'unsafe-inline'"] as const;
+}
+
 /**
  * Create Next.js middleware that sets secure headers on every request.
  *