langchain-ai · bvs-langchain · Oct 7, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 7, 2025
diff --git a/charts/langsmith/Chart.yaml b/charts/langsmith/Chart.yaml
@@ -5,5 +5,5 @@ maintainers:
     email: ankush@langchain.dev
 description: Helm chart to deploy the langsmith application and all services it depends on.
 type: application
-version: 0.11.20
+version: 0.11.21
 appVersion: "0.11.57"
diff --git a/charts/langsmith/README.md b/charts/langsmith/README.md
@@ -557,6 +557,7 @@ For information on how to use this chart, up-to-date release notes, and other gu
 | frontend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
 | frontend.autoscaling.targetMemoryUtilizationPercentage | int | `80` |  |
 | frontend.containerPort | int | `8080` |  |
+| frontend.cspHeader | string | `"frame-ancestors 'self'; object-src 'none'"` |  |
 | frontend.deployment.affinity | object | `{}` |  |
 | frontend.deployment.annotations | object | `{}` |  |
 | frontend.deployment.command[0] | string | `"/entrypoint.sh"` |  |
@@ -594,6 +595,7 @@ For information on how to use this chart, up-to-date release notes, and other gu
 | frontend.deployment.volumeMounts | list | `[]` |  |
 | frontend.deployment.volumes | list | `[]` |  |
 | frontend.existingConfigMapName | string | `""` |  |
+| frontend.includeNonce | bool | `false` |  |
 | frontend.ipv6Enabled | bool | `true` |  |
 | frontend.keepAliveTimeout | string | `"75"` |  |
 | frontend.maxBodySize | string | `"25M"` |  |
@@ -1066,6 +1068,6 @@ For information on how to use this chart, up-to-date release notes, and other gu
 | Ankush | <ankush@langchain.dev> |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
 ## Docs Generated by [helm-docs](https://github.com/norwoodj/helm-docs)
 `helm-docs -t ./charts/langsmith/README.md.gotmpl`
diff --git a/charts/langsmith/templates/frontend/config-map.yaml b/charts/langsmith/templates/frontend/config-map.yaml
@@ -73,7 +73,7 @@ data:
         proxy_send_timeout {{ .Values.frontend.proxyWriteTimeout }};
         keepalive_timeout {{ .Values.frontend.keepAliveTimeout }};
 
-        add_header Content-Security-Policy "frame-ancestors 'self'; object-src 'none'" always;
+        add_header Content-Security-Policy "{{ .Values.frontend.cspHeader }}" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
@@ -411,18 +411,30 @@ data:
         proxy_send_timeout {{ .Values.frontend.proxyWriteTimeout }};
         keepalive_timeout {{ .Values.frontend.keepAliveTimeout }};
 
-        add_header Content-Security-Policy "frame-ancestors 'self'; object-src 'none'" always;
+        add_header Content-Security-Policy "{{ .Values.frontend.cspHeader }}" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
         access_log /var/log/nginx/access.log cache_log_json;
 
+        {{- if .Values.frontend.includeNonce }}
+        location / {
+            sub_filter_once off;
+            # Replace placeholder with nonce in HTML
+            sub_filter '%%NONCE%%' $request_id;
+
+            root   /tmp/build;
+            index  index.html index.htm;
+            try_files $uri $uri/ /index.html;
+        }
+        {{- else }}
         location / {
             root   /tmp/build;
             index  index.html index.htm;
             try_files $uri $uri/ /index.html;
         }
+        {{- end }}
 
         location = /health {
                   # health checks are frequent and boring, so we avoid logging them

diff --git a/charts/langsmith/values.yaml b/charts/langsmith/values.yaml
@@ -662,6 +662,11 @@ frontend:
   existingConfigMapName: ""
   # Nginx Max Body Size. Refer to https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size for more information.
   maxBodySize: "25M"
+  # Custom CSP Header. Refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP.
+  # If includeNonce is true, use nginx built-in $request_id as nonce (cryptographically secure because compiled with OpenSSL)
+  # Sample compatible CSP header with includeNonce: true: "script-src 'nonce-$request_id' 'strict-dynamic'; style-src 'nonce-$request_id' 'strict-dynamic'; frame-ancestors 'self'; object-src 'none'"
+  cspHeader: "frame-ancestors 'self'; object-src 'none'"
+  includeNonce: false
   proxyReadTimeout: "300"
   proxyWriteTimeout: "300"
   proxyConnectTimeout: "60"