From abd1dddb0b186cac8040b12f8a02bae37496714b Mon Sep 17 00:00:00 2001
From: Brett Dorrans <b.dorrans@codat.io>
Date: Mon, 27 Apr 2026 13:28:19 +0100
Subject: [PATCH 1/3] Add blog post announcing CSP nonce support in Link

Also adds brettdorrans to blog/authors.yml as the post author.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 blog/260427-csp-nonce-link.md | 58 +++++++++++++++++++++++++++++++++++
 blog/authors.yml              |  8 ++++-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 blog/260427-csp-nonce-link.md

diff --git a/blog/260427-csp-nonce-link.md b/blog/260427-csp-nonce-link.md
new file mode 100644
index 000000000..c28323c36
--- /dev/null
+++ b/blog/260427-csp-nonce-link.md
@@ -0,0 +1,58 @@
+---
+title: "CSP nonce support in Link"
+date: "2026-04-27"
+tags: ["Product", "Update", "Link"]
+authors: brettdorrans
+---
+
+You can now pass a Content Security Policy (CSP) nonce to our Link SDK, making it simpler to embed Link in apps that enforce strict browser security policies.
+
+<!--truncate-->
+
+## What's new?
+
+The Link SDK now accepts a `nonce` option that it applies to every `<style>` tag it injects into your page. With this in place, your app can use a strict CSP `style-src` directive instead of allowing `unsafe-inline`, which previously was required to render Link's styles.
+
+In your `CodatLink` component:
+
+```jsx
+<CodatLink
+  companyId={companyId}
+  options={{ nonce }}
+/>
+```
+
+Then in your CSP header:
+
+```
+style-src 'self' 'nonce-r4nd0mB4se64Val==' *.codat.io;
+```
+
+For full setup steps, including how to generate and surface the nonce, see [CSP nonce](/auth-flow/customize/sdk-customize-code#csp-nonce) in our SDK customization docs.
+
+:::tip Existing setups are unaffected
+If you don't pass a `nonce`, Link works exactly as before. You only need to opt in if you want to remove `unsafe-inline` from your CSP.
+:::
+
+### Why does this matter?
+
+- **Stronger browser security:** Strict CSPs help protect your customers from cross-site scripting (XSS) attacks. Removing `unsafe-inline` is one of the highest-impact changes you can make to your CSP.
+- **Compliance-friendly:** If your security or compliance team has flagged `unsafe-inline` in your CSP, this gives you a clean path to remove it.
+- **No styling trade-offs:** Link continues to render with the same look and feel you've configured in the Portal - the nonce only changes how the browser trusts the styles, not the styles themselves.
+
+The same `nonce` option is also available in the Connections and Bank Feeds SDKs, so a single nonce-based CSP can cover all three.
+
+## Who is this relevant for?
+
+This update is for clients who embed Link (or Connections, or Bank Feeds) in an app that sets a Content Security Policy, particularly anyone working to remove `unsafe-inline` from their `style-src` directive.
+
+## How to get started?
+
+The `nonce` option is available now. To start using it:
+
+1. Configure your server to generate a unique, cryptographically random nonce for each request.
+2. Expose the nonce to the browser, for example via a `<meta>` tag.
+3. Pass the value to the SDK through `options.nonce`.
+4. Update your CSP header to swap `style-src 'unsafe-inline'` for `style-src 'nonce-<value>'`.
+
+The full migration guide is in our [SDK customization documentation](/auth-flow/customize/sdk-customize-code#csp-nonce).
diff --git a/blog/authors.yml b/blog/authors.yml
index ba1a45520..b46a47b1b 100644
--- a/blog/authors.yml
+++ b/blog/authors.yml
@@ -148,8 +148,14 @@ tom-binnington-codat:
   url: https://github.com/tom-binnington-codat
   image_url: https://github.com/tom-binnington-codat.png
 
+brettdorrans:
+  name: Brett Dorrans
+  title: Staff Frontend Engineer
+  url: https://github.com/brettdorrans
+  image_url: https://github.com/brettdorrans.png
+
 a-diarra:
   name: Aïcha Diarra
   title: Head of Support
   url: https://github.com/a-diarra
-  image_url: https://github.com/a-diarra.png
\ No newline at end of file
+  image_url: https://github.com/a-diarra.png

From 26a1bd3d25323017413725444988681370e6e83a Mon Sep 17 00:00:00 2001
From: Polina <112084241+pzaichkina@users.noreply.github.com>
Date: Mon, 27 Apr 2026 18:02:05 +0100
Subject: [PATCH 2/3] Update 260427-csp-nonce-link.md

---
 blog/260427-csp-nonce-link.md | 62 +++++++++++++++--------------------
 1 file changed, 26 insertions(+), 36 deletions(-)

diff --git a/blog/260427-csp-nonce-link.md b/blog/260427-csp-nonce-link.md
index c28323c36..1a971b295 100644
--- a/blog/260427-csp-nonce-link.md
+++ b/blog/260427-csp-nonce-link.md
@@ -1,58 +1,48 @@
 ---
-title: "CSP nonce support in Link"
+title: "Codat's SDKs now support CSP"
 date: "2026-04-27"
 tags: ["Product", "Update", "Link"]
 authors: brettdorrans
 ---
 
-You can now pass a Content Security Policy (CSP) nonce to our Link SDK, making it simpler to embed Link in apps that enforce strict browser security policies.
+You can now pass a Content Security Policy (CSP) nonce to our Link, Connections, and Bank Feeds SDKs, making it simpler to embed them in apps that enforce strict browser security policies.
 
 <!--truncate-->
 
 ## What's new?
 
-The Link SDK now accepts a `nonce` option that it applies to every `<style>` tag it injects into your page. With this in place, your app can use a strict CSP `style-src` directive instead of allowing `unsafe-inline`, which previously was required to render Link's styles.
+Our Link SDK now accept a `nonce` option that it applies to every `<style>` tag it injects into your page. This means your app can use a strict CSP `style-src` directive instead of allowing `unsafe-inline`, which previously was required to render the SDK's styles. This option is also available in the Connections and Bank Feeds SDKs, so a single nonce-based CSP can cover all three.
 
-In your `CodatLink` component:
+This change results in the following benefits:
 
-```jsx
-<CodatLink
-  companyId={companyId}
-  options={{ nonce }}
-/>
-```
-
-Then in your CSP header:
-
-```
-style-src 'self' 'nonce-r4nd0mB4se64Val==' *.codat.io;
-```
-
-For full setup steps, including how to generate and surface the nonce, see [CSP nonce](/auth-flow/customize/sdk-customize-code#csp-nonce) in our SDK customization docs.
+- **Stronger browser security:** strict CSPs help protect your customers from cross-site scripting (XSS) attacks. Removing `unsafe-inline` is one of the most impactful changes you can make to your CSP.
+- **Compliance-friendly:** if your security or compliance team has previously flagged `unsafe-inline` in your CSP, this change gives you a clean path to remove it.
+- **No styling trade-offs:** the SDK continues to render with the same look and feel you've configured in the Portal. The nonce only changes how the browser trusts the styles, not the styles themselves.
 
 :::tip Existing setups are unaffected
-If you don't pass a `nonce`, Link works exactly as before. You only need to opt in if you want to remove `unsafe-inline` from your CSP.
+If you don't pass a `nonce` option, the SDKs continue to work as before. You only need to apply the change if you want to remove `unsafe-inline` from your CSP.
 :::
 
-### Why does this matter?
-
-- **Stronger browser security:** Strict CSPs help protect your customers from cross-site scripting (XSS) attacks. Removing `unsafe-inline` is one of the highest-impact changes you can make to your CSP.
-- **Compliance-friendly:** If your security or compliance team has flagged `unsafe-inline` in your CSP, this gives you a clean path to remove it.
-- **No styling trade-offs:** Link continues to render with the same look and feel you've configured in the Portal - the nonce only changes how the browser trusts the styles, not the styles themselves.
-
-The same `nonce` option is also available in the Connections and Bank Feeds SDKs, so a single nonce-based CSP can cover all three.
-
 ## Who is this relevant for?
 
-This update is for clients who embed Link (or Connections, or Bank Feeds) in an app that sets a Content Security Policy, particularly anyone working to remove `unsafe-inline` from their `style-src` directive.
+This update is for clients who embed Codat's SDKs (Link, Connections, or Bank Feeds) in an app that sets a Content Security Policy, especially those working to remove `unsafe-inline` from their `style-src` directive.
 
 ## How to get started?
 
-The `nonce` option is available now. To start using it:
-
-1. Configure your server to generate a unique, cryptographically random nonce for each request.
-2. Expose the nonce to the browser, for example via a `<meta>` tag.
-3. Pass the value to the SDK through `options.nonce`.
-4. Update your CSP header to swap `style-src 'unsafe-inline'` for `style-src 'nonce-<value>'`.
-
-The full migration guide is in our [SDK customization documentation](/auth-flow/customize/sdk-customize-code#csp-nonce).
+The `nonce` option is available immediately. To start using it, follow these steps:
+
+1. Configure your server to generate a unique cryptographically random nonce for each request.
+2. Expose the nonce to the browser (for example, using a `<meta>` tag).
+3. Pass the value to the SDK through `options.nonce`:
+    ```jsx
+    <CodatLink
+      companyId={companyId}
+      options={{ nonce }}
+    />
+    ```
+5. Update your CSP header to swap `style-src 'unsafe-inline'` for `style-src 'nonce-<value>'`.
+    ```
+    style-src 'self' 'nonce-r4nd0mB4se64Val==' *.codat.io;
+    ```
+
+The full migration guide and detailed configuration steps are available in [CSP nonce](/auth-flow/customize/sdk-customize-code#csp-nonce) in our SDK documentation.

From b3bdf4886d6d1c9aa7ce7cc0be8b832349831a91 Mon Sep 17 00:00:00 2001
From: Polina <112084241+pzaichkina@users.noreply.github.com>
Date: Mon, 27 Apr 2026 18:58:55 +0100
Subject: [PATCH 3/3] Update 260427-csp-nonce-link.md

---
 blog/260427-csp-nonce-link.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/blog/260427-csp-nonce-link.md b/blog/260427-csp-nonce-link.md
index 1a971b295..a46c8ced3 100644
--- a/blog/260427-csp-nonce-link.md
+++ b/blog/260427-csp-nonce-link.md
@@ -5,12 +5,14 @@ tags: ["Product", "Update", "Link"]
 authors: brettdorrans
 ---
 
-You can now pass a Content Security Policy (CSP) nonce to our Link, Connections, and Bank Feeds SDKs, making it simpler to embed them in apps that enforce strict browser security policies.
+You can now pass a Content Security Policy (CSP) nonce to our Link, Connections, and Bank Feeds SDKs.
 
 <!--truncate-->
 
 ## What's new?
 
+We've made it simpler to embed our SDKs in apps that enforce strict browser security policies.
+
 Our Link SDK now accept a `nonce` option that it applies to every `<style>` tag it injects into your page. This means your app can use a strict CSP `style-src` directive instead of allowing `unsafe-inline`, which previously was required to render the SDK's styles. This option is also available in the Connections and Bank Feeds SDKs, so a single nonce-based CSP can cover all three.
 
 This change results in the following benefits: